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Foreword 



Teacher Xiao will turn 70 this year. As his students, we leamt from him not 
only scientific knowledge, but also the ethics in the life; not only through the 
lectures in the serious classroom, but also through the conversations outside the 
campus over the world, politics, economics, life. We all enjoyed the time of 
listening your lectures and we are proud to be your students. 

Since a quarter of century, teacher Xiao has educated hundreds of us in 
the fields of mathematics, information theory, communication, cryptology, etc. 
Today, the “old-classmates" have grown up into the society; many of them are 
taking the key positions all over the world. Especially, when we talk about the 
“Xidian branch schools” are spreading the seeds in many places like Beijing, 
Shanghai, .... 

I think he would be proud of the intellect, energy and enthusiasm that he gave 
us during our campus life and would be especially proud of his achievements 
and the achievements that his students have made since our Xidian life. 

Best wishes to Teacher Xiao’s seventieth birthday! 



XuEJiA Lai, ZuRica Switzerland 




Preface 



This workshop entitled “Progress on Cryptography: 25 Year of Cryptography 
in China” is being held during the celebration ofProfessor Guozhen Xiao’s 70th 
birthday. This proceeding is a birthday gift from all of his current and former 
graduate students, who have had the pleasure ofbeing supervised by Professor 
Xiao during the last 25 years. 

Cryptography, in Chinese, consists of two characters meaning “secret cod- 
ing”. Thanks to Ch’in Chiu-Shao and his successors, the Chinese Remainder 
TTieorem became a cornerstone of public key cryptography. Today, as we 
observe the constant usage of high-speed computers interconnected via the In- 
ternet, we realize that cryptography and its related applications have developed 
far beyond “secret coding”. China, which is rapidly developing in all areas of 
technology, is also writing a new page of history in cryptography. As more and 
more Chinese become recognized as leading researchers in a variety oftopics in 
cryptography, it is not surprising that many of them are professor Xiao’s former 
students. 

We will never forget a moment in the late 1970’ s, during the time when China 
was just opening its door to the world, when Professor Xiao explained the idea of 
public key cryptography at a lecture. We were so fascinated that many of us have 
since devoted our careers to cryptography research and applications. Professor 
Xiao had started a weekly cryptography seminar, where we discussed newly 
published cryptography research papers from all over the world. We greatly 
benefited by the method he taught us, which was to catch the main ideas of 
each piece of research work. He also influenced us deeply by his method of 
approaching a creative breakthrough. As he said, “only when you can stand 
on the top of the existing results, just as you stand on the highest peak to look 
at all the mountains, can you figure out where to go next.” With this advice, 
we took our first step in research by thoroughly understanding other people’s 
work. As a result, many of us generated our first few pieces of work through 
the seminars. 

“Professor Xiao’s graduate students” as a group, has been attracting the 
attention of the academic cryptography community since the first ChinaCrypt 
in 1984, at which his first few graduate students presented some very impressive 
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work. After 20 years, the research interests of the group have extended to a 
variety of areas in cryptography. This proceeding includes 32 papers. These 
papers cover a range of topics, from mathematical results of cryptography to 
practical applications. This proceeding includes a sample of research conducted 
by Professor Xiao's former and current graduate students. 

In China, we use the term “peaches and plums” to refer to “pupils and disci- 
ples”. Now Professor Xiao’s peaches and plums have spread all over the world. 
We are recognized as a special group in the cryptography community with not 
only our distinguished achievements but also our outstanding spirit. Many peo- 
ple have asked about the underlying motivation behind this quarter-century leg- 
end in cryptography research, made by professor Xiao and his students. Among 
all possibUities, I would consider independent thinking and honest attitude as 
the most crucial aspects. Professor Xiao guided us not only to a fascinating 
scientific field where many ofus made our life-long careers but also to a realm 
of thought which made us as who we are today. 

Please join me in wishing Professor Xiao a Happy 70th Birthday. 

LiDONG Chen, Palatine, IL, USA 




This proceedings is dedicated 
to Professor Guozheng 
XIAO on his 70th birthday 




RANDOMNESS AND DISCREPANCY 
TRANSFORMS 

Guang Gong 

Department of Electrical and Computer Engineering, University of Waterloo 

Waterloo. Ontario N2L3G1, CANADA 

ggong@calliope.jwaterloo.ca 

Abstract In this paper, a new transform of ultimately periodic binary sequences, called 
a discrepancy transform, is introduced in terms of tbe Berlekamp-Massey al- 
gorithm. First, we show that the run property of the discrepancy sequences 
dominates the randomness oflinear span profiles ofthe sequences. Then, nsing 
a modified version of the Berlekamp-Massey algorithm, we provide a method 
to construct a large family of nonlinear permutations of GF(2"). Thirdly.ap- 
plying these permutations as filtering functions to filtering generators, we obtain 
that the resulting output sequences possess good randomness and have efficient 
implementations at both hardware and software. 

Keywords: discrepancy transform, permutations, filtering generator 

1. Introduction 

Pseudo-random sequence generators are widely used in secure communica- 
tions, such as key stream generators in stream cipher cryptosystems, section key 
generators in block cipher cryptosystmes, pseudo-random number generators 
in public-key cryptosystems, and digital watermark. 

In 1984, Rueppel [18] addressed the problem that a large linear span can not 
guarantee unpredictability of a sequence. He then suggested to consider a linear 
span profile of a sequence as a complement for randomness of the sequence. 
Since then, a considerable amount of research work has been done along this 
line [10][11][17]. The linear span profile of a sequence is controlled by runs of 
zeros in its discrepancy sequence. This allows us to be able to give a definition 
for smoothly increased linear span profiles in quantity. 

By inspiration of the fact that discrepancy sequences dominate the behav- 
iors of linear span profiles, we explore the inverse process for construction 
of possible good pseudo-random sequence generators. By restricting the dis- 
crepancy transform to an n dimensional linear space over GF(2) and using 
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a modified Berlekamp-Massey algorithm, we derive a large family of nonlin- 
ear permutations of a finite field GF(2^), represented in boolean functions. 
Applying the inverses of these permutations as filtering functions to filter gen- 
erators, we obtain pseudo-random sequence generators with good randomness, 
unpredictability, and efficient implementation in both hardware and software. 

This paper is organized as follows. In Sections 2 and 3, we introduce the 
discrepancy transform, and and discuss their application in analysis of random- 
ness of linear span profiles of sequences. In Section 4, we construct a family of 
permutations of GF(2”) in terms ofa modified Berlekamp-Massey algorithm, 
and provide randomness properties of a class of filtering generators in which 
the filtering functions are the inverse discrepancy transforms. 

Note. In this paper, we restrict ourselves to I^. However, all the results 
obtained here can be easily generalized to an arbitrary finite field. For an 
introduction of sequence design and analysis, the reader is referred to [4], [18], 

2. Discrepancy Transforms 

In this section, we introduce the discrepancy transform and the inverse dis- 
crepancy transform. Let us denote R = {{otHaj € F 2 }, a ring ofbinary se- 
quences with infinite elements; fio C which contains all ultimately periodic 
sequences of i?; and = {(do, di, • • • ,dr_2,dr_i,0,0, ■•■} € R} C R, 
i.e., ifd = {d|} £ i?_i, then there is a positive integer such that 4 = 0, Vi > r. 

We denote it as {dj} = (do,di, • • • ,dr_i,0), and call r the ending point of d 
if dr-1 7^ 0. 

Definition 1. Let a = {Oj} € R. For any n > 0. and let LF5i?(/n-i, in- 1 ) 
generate a .lequence Oo,ai, ■ • • ,On-I- We denote I — and /n-l Xt + 
Si=0 tind let dn — Qn A- Cn— = 1, 2, • • • . Then dn 

is called a next discrepancy bit of the sequence, and {_^} a linear span profile 
of the sequence. 

Deflniliun 2. Let a = {Oj} € Ra he a binary sequence with parameter (u, N), 
and let M = 2N -b U. Let D(&) = {dn} be a sequence in /J_j where dn is 
the next discrepancy bit computed by the Berlekamp-Massey Algorithm (BMA. 
.see the Appendix) ford < n < M and dn = d forall n > Af. Then D is 
cflded a discrepancy transform /rom i?j m i?_i. The .sequence {di] is called a 
discrepancy (transform) sequence o/{<%). 

For example, let a = (100101 1) be a sequence of period 7. Then 

^(&) = {d»} = (IIOIOIOOOO--) = (110101 0). 

Let LS{x) represents the linear span ofa sequence x. Let a = {(%} be a 
sequence in Rq with period N and D{&) = {4} be the discrepancy sequence 
ofa. From the BMA, it is clear that ifLS(a) = i, then = 0,Vn > 2i. 
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Proof. Leta= {On} € ^ sequence with parameter (u, iV). 

From the BMA, the polynomials /n>0 < Tl < M, constructed by the BMA 
are uniquely determined. From the definition of it is clear that D is 
an injective. So, it suffices to show that D is surjective. In other words, we 
need to prove that for any sequence d in there exists an ultimately periodic 
sequence a € i?o such that d is the discrepancy sequence of a. We can construct 
a sequence a from d by switching the places of and in the BMA (the 
details are omitted here due to short of space). Therefore LFSR 
generates the sequence a. Thus a is an ultimately periodic sequence with the 
parameter (u, t) where t ~ per(j) and /,_i = x^g{x) with g(0) ^ 0 (see 
[13]). In other words, we get that On+t — On for all n > u. So, a € ilo ^nd 
Z)(a) = d. Thus D is a surjective map from to R-i. Therefore Z) is a 
bijective map between Rq and ii_i, D 

According to Theorem 2.1, D is invertible and D"^(d)can be constructed 
by the proof of Theorem 2.1. The inverse map ofD is called the inverse 
discrepancy transform ilDT). and the sequence Z)”*(d) an inverse discrep- 
ancy (transform) .sequence ofd. From the proof of Theorem 2.1, we have the 
following result on the inverse discrepancy sequences. 

Corollary 1. With the notation in Theorem 2. 1. 

(0) fr-\ ts ihe minimal polynomial of D *(d), so that Ir-i is the linear 
span of the inverse discrepancy sequence, i.e., Z<5(Z^*(d)) — /r-f 
Furthermore, — |"r/2l where [a:] represents the least integer that 
is not le.ss than x, 

(b) i)~*(d) is an ultimately periodic .sequence with the parameter (ti, f) 
where u < andt = per{g) where — X^g(x) with p(0) ^ 0. 

Example 1. Let d (1001011 0) € R-i with r = 7. Then 

= a= 1110111101 ••• € Rq 

which is a periodic sequence with period 5, i.e, = On for all n > 0. 
Furthermore, /g = + I + 1 has period 5. Note that the first 7 

elements of d are taken from the elements in a period of an m-sequence with 
period 7. 

Example 2. Let d = (1 1001 1010001011 0) 6 R~i with r = 15, Then 
D~\d) = lOO OlllO OOlOlOllOlOOOQllQOlOOlllll OlllO • ■ • . 

Hence fii(x) = x® + + a;® + = x®p(i) where g{x) =x^-\-x'' + 

+ I a primitive polynomial over 11^. Therefore I<5(£l“*(d)) = 8 and 
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D"^(d) = g is an ultimately periodic sequence with the parameter (3,31), i.e., 
= On foral! n > 3. Note that the first 15 element ofd are taken from 
the elements ofaperiod ofa modified de Bruijn sequence [15] with period 15. 

3. Runs of Discrepancy Sequences and Linear Span 
Profiles 

In this section, we first show the randomness of the linear span profile of a 
sequence is dominated by its discrepancy transform sequence. We then give 
a criterion for a smoothly increased linear span profile and an optimal linear 
span by means ofnins ofthe discrepancy sequence. By carefully determining 
the values of cand b in the Berlekamp-Massey algorithm, we can establish the 
following results (the proof will be provided in the full paper). 

Theorem 3.1. Let a G ^ discrepancy sequence. Let be 

the greatest length of runs of O’s in = {do,di, - ■ • Then {in}> fbe 

linear span profile ofa, satisfies 2n - ^n-l < + L Vn > 0. 

Corollary!. With the notation in Theorem 3.1. For any O > 0, “ 0+1 

where a = fl— 1 —j where j is the largest number in a .setof{nx, m+ 1, ■ • • , fl — 
1} .such that dj = 1 and ^dj+i, dy+2i ‘ ' i dn_i) is a run ofO's where m is an 
integer satisfying 4n-l < ~ Itn+I = •■• = In-i- In other words, the 

difference between andl„.^\ is equal to the length of the run ofO's preceded 
to dn plutt one. 

According to Theorem 3.1 and Corollary 2, the behavior ofthe linear span 
profUe of a periodic sequence is completely determined by lengths of runs in the 
discrepancy sequence. More precisely, given a sequence d £ /L[, a pseudo- 
random sequence generator (PSG) generates an inverse discrepancy sequence 
£)“^(d) = {oj} in the following fashion. At each clock cycle n > 0, if4i =0, 
then the PSG uses the previous LFSR to generate a current bit If </„ = 1, 
then the PSG reloads a new LFSR to generate a current bit 0^. So the nth bit of 
output ofthe PSG is generated by the previous LFSR or a new LFSR depending 
on {dn}- In the discrepancy sequence, a run of O’s oflength t means that the 
PSG does not change the LFSR during t consecutive clock cycles. A run of 
I’s oflength t means that the PSG changes LFSR at each clock cycle during t 
consecutive clock cycles where the lengths ofthese LFSRs may not change. The 
randomness of runs of a sequence is given by the Golomb Randomness Postulate 
R-2. If the discrepancy sequence satisfies the randomness postulate R-2, then 
the frequency that the PSG changes LFSRs can be considered as a random 
variable with a uniform distribution. We summarize these discussions into the 
following criteria for measuring randomness of pseudo-random sequences. 

Let a be a sequence of period N and d = (dD, di, • • • , dr_i,0) be its dis- 
crepancy sequence. Note that if a sequence of period N or length N satisfies 
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the randomness postulate R-2, then the greatest length ofruns in the sequence 
is bounded by cr{JV) = + 1, So <j(t) is the best bound for the 

largest length of the runs of zeros in 

Randomness Criteria of Linear Spans: (a) < <r(r) for any shift of 

a, then we say that a has a smoothly increased linear span profile, (b) If_d’^ 
satisfies the randomness postulate R-2 for any shift of a and Z-S(a), the linear 
span of a, satisfies that 

N/2 - € < LS{&) < N where 0 < « < ccr(r) (I) 

where c > 0 is a constant, then we say that a has an optimal linear span. 

We tested some known generators with smaU parameters. For example, we 
considered three types ofknown pseudo-random sequences whose linear spans 
satisfy (1), i.e., de Bruijn sequences [3] with period 2*, the self-shrink sequences 
[16] with period 2””^, and the elliptic curve sequences of type I [6] with period 
2 * 1+1 ^ is the parameter related to their respective constructions. If 

2" — 1 is a prime, then we have quadratic sequences with period 2* — 1, For 
their discrepancy sequences, none of them satisfies the randomness postulate 
R-2. However, the experimental results showed that some of them did satisfy 
the condition for smoothly increased linear span profiles. 

When we use the inverse process to generate pseudo-random sequences dis- 
cussed above, it is clear that the nth bit depends on the previous n — 1 bits. 
Thus it is impossible to hold or store the entire bits of an inverse discrepancy 
sequence in practical cryptosystems. How to generate a sequence while consid- 
erably preserving the features provided by the inverse discrepancy sequences 
with good randomness and considerably reduced the computational cost in both 
time and space is the purpose of the remaining section. 

4. Restricted Discrepancy Transforms and Filtering 
Generators with i)-Permutations 

In this section, we first discuss a restriction of the discrepancy transform on 
,Xn-i I e F 2 } and how to construct a large family ofper- 
mutations resulted from the restricted discrepancy transform. We then present 
randomness properties of filtering generators in which the filtering functions 
are the nth component of the constructed permutations. Let V = . Then 

V can be embedded into {8] via 



Thus we have Dv, ^ restriction ofD on V, as follows 



Dv{ao,ai,--- ,a„_i) = (do,di,--- ,d„_i) 



( 2 ) 
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where dj,0 < t < n are computed by the BMA. Note that any function from 
V to V can be represented by it'sn component functions. In other words, we 
can write 

^li ' ■ ■ 1 ®n-l ) ~ (ffn,0i Sn.ti ' ‘ ' 1 5n,n-l)i ^ 

where — ?n,f(^0i2:i, ■ • • , a^n-l) is a function from Vto F2, i.e., a Boolean 
function in n variables Zo, ■ , In- 1 . 

Lemma 1. Dy a permutation of . 

Proof. According to Theorem 2.1, Dy is a bijective map on V. Since V is 
isomorphic to the finite field I^n , then Dy is a permutation oiV = I^n . □ 

We call Dy a re.itricted discrepancy transform on V and * the inverse 
restricted discrepancy transform on V. 

Theorem 4.1. LetDy — (<?n,0i 9 n,h ' ' ' restricted discrepancy 

transform on V. Then Dy is an nonlinear permutation of F2n for fi > 2 for 
which 

5n,»(a:o,a:i."- .a:n-i) = 9 i+uii^o,xi,- • ■ * < n (3) 

Precisely, fori s= 0 , 1 , 2 , and 3 . we have gifi{xo) = Xo.g2.i{xQ,Xi) = lo+^l. 

S3, 2(2:0. 2:1,12) = 2:011 +12. 54, 3(2:0. 2:1, 12.2:3) = ii+iti2 + 2:oa:ii2 + 

213, and 

9n,n-t(2:o,li,'- - ,2:n-i) = ft(lo.2:i,-- - ,I„_2) + > 1 (4) 

where 2:1 , • • ' , In— 2) w Boolean function i« n — 1 variables. 

A proof of this result will be provided in the full version of this work. The 
inverse restricted discrepancy transform ^ has similar properties as those of 
Dy. 

Corollary 3. Let Dy\x)(fn,0,fn,\C ■ ■ , fn,n-l) the inverse of Dy. Then 
Dy^ is nonlinear for n > 2 and 

Z)^‘(lO,Il. " • .2:n-l) = (/l,0./2,l./3,2./4,3.-" ./n,n-l) 

where 

< i < «• 

Precisely, fori = 1, 2, 3, and 4 . w /lave /i,o{lo) = lo = Sl,0. /2, 1(2:0.11) = 
io+a:i =S2,1. /3,2(2:o. 2:1,12) -10 + 2:02:1+12. fl«i//4,3(2:o. 2:1, 12.2:3) = 
lo + II + 2:112 + 2:01112 + I3- 

By this method, for fixed n,we can construct only one pair of nonlinear 
permutations Dy and from the BMA. In order to construct a family of 
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permutations on K in terms of the discrepancy transform, we modify the initial 
step and the loop step in the BMA (see the Appendix) as follows. For 0 < fh < 
n and 0 < u < n, let 

no 

= + (5) 



t/ = {ar" + € F 2 }. (6) 

«=o 

At the initial step, choose one of polynomials in R, say Tnf,{x), to generate the 
sequence (oo,ai, • ■ • .Ono) = (0,0, • • ■ ,0, 1). At the loop step, ifd„ = 1, we 
select one ofpolynomials in U, say t%(x). The rest of the procedure remains. 
In this way, we can construct at least y (’*”2)/4 jf ^ 2('‘~ 0(n-3))/4 if 

n odd permutations of GR( 2 "), 

In the following, we present the randomness properties of filtering generators 
for which the filtering functions are inverse D-peimutations. Let 9 ( 1 ) be a D- 
permutation on V. We can write g~ ^ (x), the inverse of g{x), as follows 

Let / = • • • ,®n-l) which is the nth component function of the 

D-peimutation {</j} a binary m-seciuence of degree n, and 

Oi = ,di+„_i),t = 0, . (7) 

Then we say that the sequence {«j} is a D-filter sequence and / a D-filter 
function. 

Randomness profile for D-fUter sequences: Any D filter sequence has period 
2" — 1 and is balanced. Furthermore, all D-filter sequences are shift-distinct. 
Precisely, there are ^(2” — l)/n shift distinct D-filter sequences with D-filter 
function /. 

The experimental results show that most of shift-distinct D-filter sequences 
achieve the maximal linear span 2 ^ — 2 for every / and a few of them have the 
linear spans taken on the slightly smaller value 2 * — 2 — ( 2 n -b m) where m\n 
oim= 0. Therefore, we have the following conjecture for linear spans of the 
D-filtering sequences. 

Conjecture. The linear span of {aj}is equal to2” — 2or2" — 2 — (2n-t-m) 
where min or m * 0 . 

The validity of the conjecture was verified for 4 < n < 13. 

5. Conclusion 

In terms of the Berlekamp-Messay algorithm, we introduced the discrep- 
ancy transform for ultimately periodic sequences. Randomness criteria for 
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linear span profiles of sequences are obtained in terms of runs of discrepancy 
transform sequences. A restriction of the discrepancy transform, computed by 
the modified Berlekamp-Messay algorithm, derives a new family of nonlinear 
permutations of Gf (2”), Applying the nth component function of such a per- 
mutation to a filter generator yields a pseudorandom sequence generator with 
strong cryptographic properties, which have potential applications in secure 
communications. 
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Abstract In this paper, a survey of Legendre sequeitces and modified Jacobi sequences 
is presented, firstly. We introduce the construction and periodic autocorrelation 
functions of these two sequences (binary and polyphase). Then we determine 
the linear complexity of all modified polyphase Jacobi sequences and the cor- 
responding feedback polynomials of the shortest linear feedback shift register 
that generates such a sequence. Making use of these results, at the same time, 
we prove the conjectures on the linear complexity and feedback polynomials of 
modified Jacobi sequences brought forward by D.H. Green and J. Choi. 

Keywords: Legendre sequence, modified Jacobi sequence, modified polyphase Jacobi se- 

quence, linear complexity, periodic autocorrelation functions 

Introduction 

Pseudorandom sequences with good periodic or aperiodic autocorrelation 
properties are extremely useful in many areas such as communication and cryp- 
tography [1, 2]. For cryptographic applications of sequences as key stream 
ciphers, their linear complexity a, is an important figure-of-merit. Legendre 
sequences (Polyphase Legendre sequences), L-sequences (PL-sequences) for 
.short, and modified Jacobi sequences (modifies polyphase Jacobi sequences), 
MJ-sequences (MPJ-.sequence.s) for .short, possess good periodic correlation 
properties and have high linear complexity, which give them some crypto- 
graphic significance [3, 4, 5, 6, 1, 8, 9]. 

This paper will investigate the construction and properties of these two se- 
quences firstly, and then determine the linear complexity and feedback poly- 
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nomials of MPJ-sequences. At the same time, we prove the conjecture on the 
linear complexity and feedback polynomials of MJ-sequences brought forward 
by D.H. Green and J. Choi [7], 



1. Legendre sequences 



Binary Legendre or quadratic residue sequences exist for all lengths L which 
are prime. They can be constructed using the Legendre symbol (i/L), a Legen- 
dre sequence 000162 ‘ QL-l then formed by writing cii = {i/L) 0 < i < 

Land the value of oq can be taken either as 1 or-1. Alteratively, a pure binary 
form of these sequences 0 oaj 02 • ■ ' o, = Oor 1, can be constructed 

by mapping the square roots of unity onto the binary symbols in the normal 
way, i.e., 1 = -1®,— 1 = — l^,so I ->0, — 1 -A 1. Thus this is equivalent to 
taking 



at = 




f 0 if 2 is a quadratic residue mod p 
\ 1 if i is a quadratic nonresidue mod p 



( 1 ) 



This gives rise to two classes ofL-sequences. 

Class 1: L = 3 mod 4. The periodic autocorrelation function 7?{r) takes 
values ii(r) € {L>, — 1 } and so this class has the idea! two-valued autocor- 
relation function. The sequence conventionally referred as quadratic residue 
sequences belong to this class. 

Class 2: L = I mod 4. For this case R{t) € {L, —3, 1 } and so this class 
has a three-valued autocorrelation function. 

L-sequences have a number of interesting properties [3, 4], C. Ding and 
T. Helleseth determined the linear complexity of all L-sequcnces and their 
minimal polynomials in [5]. These results can be summarized as follows: 



Cl = 



< 



(L + l )/2 ifL = lmod 8 
L - 1 if L = 3 mod 8 

L if L » 5 mod 8 

(L-l)/2 ifL = 7mod8 



(2) 



m(x) = 



{x + l)-f{x) 

+ l)/{x + 1 ) 
+ 1 ) 
fix) 



if L 5 1 mod 8 
ifZ> = 3 mod 8 
if L = 5 rood 8 
if L s 7 mod 8 



over GF(2) 



(3) 



where f[x) is a special polynomial of degree (L - l)/2, that is derived from 
the sequence. 



2. Modified Jacobi sequences 

Firstly, we introduce the Jacobi sequences, which constructed by combining 
two L-sequences. Jacobi sequences exist for all lengths of the form L = tiv, 
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where u and v are both prime. They are constructed using the Jacobi symbol 
[t/tiv], which is defined as 



i 

uv 




Q<i<L 



(4) 



the term-by-term modulo 2 addition in the 0, 1 form. A Jacobi sequence 
■ ■ ' ^/.-l then formed by writing 



bi = 





(j) 0<t<L 



(5) 



The Jacobi sequences described above do not show particularly good auto- 
correlation functions and contain out-of-phase values which are related to the 
factor u and u. 

If a Jacobi sequence is modified by ensuring that = 0 for t = 0 mod v, 
and frj = 1 for t 0 and j = 0 mod u, the resulting sequence called modified 
Jacobi sequence has greatly improved periodic autocorrelation values [6], It is 
assumed, without loss of generality, that u > u, so that v = u-l- Ar,where isan 
even integer. If fc s 2 mod 4, the autocorrelation values are taken horn {L,k — 
3, -1, 1 - A}, and if A: s 0 mod 4, they are taken from {L,A:-3, 1, -3, 1 - Ar}. 

D.H. Green and J. Choi conjectured the linear complexity and feedback 
polynomials ofMJ-sequences [7]. We will prove their conjectures in the follow 
section. 



3. Polyphase Legendre sequences 

PL-sequences were called polyphase power residue sequences in [8]. Let 
• ■ ■ ol-1 ^ ^-phase L-sequence of length L, where both L and q are 
prime such that L = 1 mod 2q. Let T = (L — l)/q and ^ be a primitive 
element mod L, then each non-zero integer i mod L can be represented as j = 
/i' mod LeCk~ (Ai’)®, • • ■ , mod t.fc = 0, L • • • ,g-l. 

Then, make 

Oi = j ift € C; for 0 < * < L - 1 (6) 

and oo can be selected to be any of the q available values. We assume, unless 
otherwise stated, that oo — 0. 

The linear complexity of these sequences has been derived and revealed that 
it depends on whether ^ is a ^th power residue and the value chosen for the 
initial digit in the sequence. These results can be summarized as follows: 

{ L if f>o ^ 0 and p ^ Co 

L - 1 if 6o = 0 and p ^ Co 

L - T if 6o 7 ^ 0 and p e Co 

I - T - 1 if f>o = 0 and p 6 Co 



Cl = 



(7) 
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m(a:) = 



x^-1 







ifAo 7^ Oandp ^ (7o 
if6o = Oandp ^ Co 
ifbo ^0 and p £ Co 
if <>o = 0 and p 6 C7o 



(8) 



where Wj(2:) is the polynomial corresponding to the coset C, which provide the 
roots of B(x) = 6o + ^>13: + • • ' + 



4. ModiGed polyphase Jacobi sequences 

Let w 4 = aoOi ■ • ■ Oa_i and B = two ^-phase L-sequences 

of length u and v, respectively, where u, v, q are both odd prime and such that 
u s 1 mod 2 q,v s 1 mod 2 q. Define sequence R = rorj • • ■ rr,_i of length 
i = uu as Tj = (oj + bi) mod q ,0 <i < L. 

Sequences with a length L which can be factorized into two or more relatively 
prime factors can be folded into a two-dimensional structure sometimes referred 
to as pesudorandom array (PRA) [ 10 ]. One method for performing this folding 
is to start at the top left-hand comer of the array with the first digit of the 
sequence, and then to place subsequent digits down the diagonal by moving 
one position in each dimension at each step. When an edge is encountered, the 
array is re-entered at the opposite edge on the next row or column. In this way, 
each location in the array will be visited exactly once if one pass through the 
sequence, provided the dimensions of the array are relatively prime. 

The MPJ-sequence S = So^l • • • Sl-i of length L = tiU is defined as: 

0 i = 0 

5.= , 0 < i < = 1 

* m i H 0 mod u ^ 

n 1=0 mod v 

where 0<m^n<9 — 1 . Here we restrict that n = 0 , m ^ 0 . 

From the definition above, a MPJ-sequence S can be represented as a u X ti 
array and it can be decomposed as a modulo-^ sum of four component arrays. 
Then S can be thought of as a modulo-^ sum ofthe following four component 
sequences of length tty 



OoOi - • • • ■ ‘Ou_l ■ - -oot*! ■ ■ ■ <^u~l 

bobi • ■ • by^ibobi ■ ■ ■ b„-i - ■ • b<jbi • ■ ■ 6u-t 

- b2u) ■ (m - 

u-l u-l 



( 10 ) 



if these sequences are unfolded from the array. 



u-l 
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Let S{x) = So + Si® H + It is easy to see that [11] 

(1) The feedbackpolynomial fTi{a:) of S is given by 

{i^-l)/6cd(a:^- 1,5(1)). (II) 

(2) The linear complexity C£ of S is given by 

ci = L- deg[gcd(i^ - l,5(i))]. (12) 

Since(L,g) = l.thereexists aprimitiveLthroot of unity ain some splitting 
field GF(q”) of - 1, and gcd(i^ - 1, 5(i)) will be given by the number of 
values for j, where 0 < j <■ L, such that S{oi’) = 0, hence 

Cfc=I-|(;:5(a>) = 0,0<j<L-l}|. (13) 



From (10), the authors can write 
L-i 

S{x) - 53 



isO 

/v-1 



\<=0 i =0 i =0 / 

( D -1 V -1 V -1 ' 

t =0 «=0 i =0 / 



u=0 

u-1 



vi=l 

v-1 



^t=0 



k»=l 



v-1 



^ auil*" 


- E +myii 


=1 


i=l 


tsl 


-1 \ / 








»E'‘+' 


■ + [q- 


sO / \ 


< ‘ecj 




u-l \ 


/ 






0 E + 


... + {q. 


,»=0 / 


\ 





‘€C“ , 



i6C' , 



_|0^x« + ... + {,-!) 

vises 
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- 0 53 + + («-!) 53 x“‘ +m 5 ^x« 

\ “ieCJ m€CJ., / t=l 



So, forx = o'^ = 1, 



5 ( 1 ) = ^ (v-l)(g-l) (t/-l)(< 7 -l) 

2 2 2 



(o-l)(g-l) 



+ m(i; - 1) 3 0 mod q 



Forx = oJ, j € Ai = {j : j 3 0 mod u,j # 0}, 



5(oJ) = « o 53(0^)* + ••• + (9-1) 53 (aiy 

-[o53(a^)* + ... + (g-l) 53 {cpy 

\ «eCo“ i€C,-’., 

For X = qJ, j 6 A 2 = {j : j = 0 mod v, 3 ^ 0}, 



5 ( 0^) = t, o 53 (cr’)*+---+(?-i) 53 (a>r 

V iec“_, / 

-|o53(a^r + -.. + (q-l) 53 (a^)M 

V ‘€Co“ i6C*_, / 



(w - l){g - 1 ) 



+ m(v - 1) £ 0 mod q. 



Forx = a^.j € A 3 = - Ai - A 2 - {0}, 

S(a>) = -|o 52M" + ... + (g-l) Y1 M"' 

\ «eC5 f»ec“ , 



- 0 53 (a^)««+...+( 9 -i) 53 ; (c^r] 

\ «*>€C5 uiec,"., / 

-mmodq. (17) 
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ct = L-ti- |{j ; S(qJ) = 0,j 6 As}!- (18) 



When) € A3, we have the following basic fact; 

Fact 1 When j € A 3 . S{oP) 6 {0, 1, • ■ • - 1} if and only if q & C^, 

qecr^.g,k = o,i,--,q-\. 

The proof of the fact can be found in our another submission. Then when 
qeCj^,qe |{) : S(od) = OJ € Aa)| = (L-u-v- l}/q. In other 
cases, |{) : S(oP) — 0,j 6 As}) = 0. So the linear complexity and feedback 
polynomials ofcdl MPJ-sequences can be determined as follows: 



CL - 



{ 



qTill + (q- 1)T,] 
L — u 



otherwise 



(19) 



where Ti = (tt - l}/q, T 2 = (v - l)fq. 



m(x) = 



otherwise 



( 20 ) 



where Wjj(x)= H (i - o^). 

p mod u € C“ 
p mod V €C^. 



5. Proof of Green’s conjecture 

Making use of the results in section 4, we can prove the conjectures on the 
linear complexity and feedback polynomials brought forward by D.H. Green 
and J. Choi. 

Note that 



S{x) 




+ E E 

vieCf uiSCg 



fu-t 

El*" 

^»=o 




( 21 ) 



So, for 1 = 1, 5(1) s 0 mod 2. For i = o4, ) £ Ai, S{a^) s (u + 
l)/2 mod 2. For X = or^, J € Aa, S(q^) = (v - l)/2 mod 2. Fori = a^, 
j € A3,5(a>) = 

Fact 2 When j € A3, S{od) 6 {0, 1} if and only r/ ti = il mod 8, 

V H ±1 mod 8 o/- u = ±3 mod 8, w = ±3 mod 8. 

When u and v such that u s ±1 mod 8, V = ±1 mod 8 or u = ±3 mod 8, 

V = ±3 mod 8, it follows from Fact 2 that 5(0)^) € {0, l}(j € A3) and 
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S{a^) = 0 {t € A3) for all t mod u € Cq, t mod t> e Cq or f mod u € C“, 
t mod V e Cf or 5 '(a') = 0(f € A3) for all t mod p € Cq, t mod qC C\ or 
t mod p € Cl, t mod v € Cq. The total numbers of ( € A3 are L - o - V + 1 , 
the numbers of t such that t mod u € Cq, t mod w € or f mod u € Cq , 
t mod V € Cl” or t mod u £ Cf*, t mod v € Cq orf mod u € Cf, t mod v € 
Cj is (I. — u — D + 1 )/ 4 , respectively. Hence if ti = ±1 mod 8, v = il mod 8 
orti H ±3 mod 8, w = ±3 mod 8 then 

|{i : S(c^) = 0,j e A3)| = + \ (22) 

When u ando such thatu 5 ±1 mod 8, w = ±3 mod 8 orti = ±3 mod 8, 
w = ±1 mod 8, it follows from Fact 2 that 5 (a^) ^ ( 0 ,l}(j 6 A3) and 
S^(ct^) 7^ 0 for all < 6 A3. Thus in this case 

\{j:S(a’) = Q,j€A3]\^0. ( 23 ) 

Then the linear complexity of all MJ-sequences can be deduced easily. For 
example, consider the case u = 3 mod 8, u = 5 mod 8,Ci = Z< — l — (ti — 
1 ) - (u - 1) - (L - u - V + l)/2 = (u - l)(v + l)/2. 
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Abstract A method of directly constructing resilient functions is presented. The functions 

ace generated from concatenation linear functions. It is convenient to calculate 
the nonlinearity of the functions obtained and to discuss the algebraic degrees 
and propagation characteristics of them. 

Keywords: correlation immune, nonlinearity, resihent function. 

1. Introductions 

An (n,m,t) resilient function is an n'inputm-output functions with property 
that it runs through every possible output -tuple an equal number of times when 
arbitrary inputs are fixed and the remaining inputs runs through all the input 
tuples once. The concept was introduced by Chor et al [1] and independently, 
by Bennett et al in [2]. Areas where resilient functions find their applications 
include fault-tolerant distributed computing, quantum cryptographic key distri- 
bution and random sequence generation for stream ciphers. 

Similar to Boolean function, multi-output functions with good cryptographic 
properties should have the following criteria: (l)orthogonal (i.e. balance cor- 
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responding to Boolean function) (2)high order correlation immune (3) high 
nonlinearity (4) high algebraic degree (5) propagation characteristics. Orthog- 
onal and correlation immune are usually refered to as resiliency. These criteria 
are partially opponent. It is important to discuss and harmonize them. 

Up to now, there are many results about resilient functions, but for most of 
them, it is difficult to discuss all these properties. In fact, most of them only 
consider two properties. For example, tradeoff between correlation immunity 
and nonlinearity was given by Y. Zheng and X. M. Zhang in [3], between 
correlation immunity and the algebraic degree was given by Siegenthaler in 
[4]. In this paper, we give a kind of construction of cryptographic resilient 
functions. All these criteria above are considered. And it is easy to calculate 
the nonlinearity of the functions obtained and to discuss the algebraic degrees 
and propagation characteristics ofthem. Tradeoff among these criteria is given. 
The functions are generated from concatenation linear functions. So it is more 
convenient for use in practice. 

2. Preliminaries 

The vector space ofn tuples of elements from GF(2) is denoted by 1^ . These 
vectors, in ascending alphabetical order, are denoted by otijOii • As 

vectors in Vn and integers in [ 0 , 2 " — 1 ] have a natural one-to-one correspon- 
dence, it allows us to switch from a vector in to its corresponding integer in and 
vice versa. 

Let / be a function from Vn to CF(2)(simply, a function on Vn ), The 
truth table of/is a ( 0 ,l)-sequence defined by (/(«o), /(ot), •••/(o 2 '>-i)) and 
the sequence of / is a (1,-1) sequence defined by ((— ^ 

gaid to be balanced if its truth table assumes an equal 
number of zeros and ones. We call h{x) = Cili © C 2 X 2 © - . © c„Xn © c an 
affine function, where q( 1 < i < «), c € GF{2) . In particular, h is named a 
linear function if c = 0. Denote all n<variable affine function by .41- 

Functions on VJj can be considered to be a multivariate polynomial of n 
coordinates. We are particularly interested in the so-called algebraic normal 
form representation in which a function is viewed as the sum of products of 
coordinates. The algebraic degree deg{f) of a function / is the number of 
coordinates in the longest product in the algebraic normal form. The hamming 
weight of a vector v is the number of ones in v . Let /and g be two functions on 
Vn , the hamming distance of them is the number of distinct elements between 
their sequence, denoted by d{f,g). The nonliearity off is defined byiV^ = 
«nins 6 /t„ d(f,g) 

If denote the sequences off and 3 by ^ and , respectively, then d{f, g) = 
2”“* - 5 < > [5. lemma 6 ]. So we have N/ = 2""‘ - < 
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It is well known that the nonlinearity of / on Vn satisfies Nj < 2""*— 25"”*. 
/ is said to satisfies the propagation criterion with respect to a non-zero 
vector a in Ki , if f{x) ® f{x -k a) is a balanced function. Furthermore, 
it satisfies the propagation criterion of degree fc if it satisfies the propagation 
criterion with respect to all a € ^ with 1 < W{a) < k. 

A Booleanfunction/(a:) on n variables is said to bem — t/i order correlation 
immune {m — Cl ), if for any m-tuplc of independent identically distributed 

binary random variables Xi„Xi, Xi„. we have/(Xj, , Xi, X,„-,Z) = 

0, 1 < ii < *2 < < im where Z = f(X\,X2,—,Xn) and I{X\Z) 

denotes the mutual information[7]. 

Corresponding to Boolean function, we define concepts ofmulti-output func- 
tion. Let F = (/i,/2) •••»/m) is a function from Kj to Kn, its nonlinearity is 
defined as the minimum among the nonlinearities of all nonzero linear combi- 
nations of component functions of F. i.e. 

N/ = mm{iVj|9 = 0Ci/j,Cj e GF(2),(ci,C2,...,Cm) ^ (0,0,...,0)} 

The algebraic degree ofF , denoted by deg{F), is defined as the minimum 
among the algebraic degrees of all nonzero linear combinations of the compo- 
nent functions of F . namely, 

deg(f) = ming{de^(j)|9 = ® Cj/<,Cj G GF(2), 

(C|.C2.-.Cm) ¥= (0,0, 

F is called to satisfy the propagation criterion of degree k if its all nonzero 
linear combination satisfies the propagation criterion with respect to all a 6 
with 1 < W(a) < /f . 

DeHnition 1: Let F ~ (/h/zi •••i/m) be a function from Vn to V^m. where 
n > m > 1 ,and let a; = Xn) 6 V^n- 

1) F is said to be unbiased with respect to a fixed subset T = {ji, •••, 

{l,...,n},ifforevery(ai,a2,...,0() G V|,(/i(a:},...,/„,(l)) 

runs through all the vectors in Vm each 2"“"*”* times while (ij, , )runs 

through Ki_t once, wheref > 0 , - <} = - {jl Ji) 

andii < *2 < ... < «n-<. 

2) F is said to be a f •resilient function ifF is unbiased with respect to every 
subset T of{l,.,.,n} with |T| =t. 

The parameter f is called the resiliency of the function. 

3. Previous constructions and results 

Given any vector S = •■•,*«) € V«, we define a function on Vg by 
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where y = ^nd i = 1 ® t indicates the complement oft . The 

addition and multiplication are over GF(2). Obviously, Df = 1 if and only if 
y = S. 

Suppose that •••! ^ set containing 

linear functions on Vs, each is indexed by a vector in K,_,. ^ 

multi-set. 

Theorem 1[5] Let n and a be positive integers with n > s,x = (ij, 12, ...,Xs), 
y — (yi>y2i ■■■iVn-a) ^ arbitrary function on Set 

g(y,x)= 0 Di(y)^'i(x) + r(y) 

iev„., 

theng(y, i) is a balanced fcf/i«order correlation immune function on , where 

is an integer satisfying A: > min{W'(7j)(<f € =< >€ 

^rt.s and € K* . 

Next, we discuss cryptographic criteria of function g given above. 

Theorem 2[5] Let n and s be positive integers with n > a > 2 , is the number 
oftimes that a linearfunction ^'deita(x) appears in Let t = max{<^|d € 
Vn^s} , then Ng > 2n_i - 

Theorem 3[5] Let k, n and a be integers with A: > 1 and n > a > fc -|- 2, then 
a balanced Ath-order correlation immune function on of algebraic degree 
n — a + 1 can be obtained. 

Theorem 4[5] If aD (fs are distinct linear functions on Vs, then g satisfies the 
propagation criterion with respect to all 7 == {^, a), 0 ^ € Ki-i ^d a € Vs. 

Theorem 516] Let F = (/i, /21 - .1 /m) be a function from Vn to Vm, where n 
and m are integers with n > m > 1 and each fj is a function on I4. Then F 
is a (n, m, f )-resiIient function if and only if every nonzero linear combination 
of /(*) = ©fei . isa (n, l,f)-resilient function, where 

x = (x,,X2--..a:n)€K,. 

4. New construction of resilient functions 

For integers k and n with 0 > k < n , Let denote the set of linear 
functions on Vn that have fc + 1 or more non-zero coefficients, namely = 
{(plfix) =<0,x >,x,^ e Ki,W^(/3) >* + !)}. 

Letn,m, f be integers with n > m , select m2"“* (repetition is permitted in 
the selection) functions from and separate them into m groups arbitrarily, 
denoted m groups by $1, ^'2, ■ Each group has 2"“* functions. Denote 

~ 1 > i > TO. Select m functions on arbitrarily, 

denoted by ri(j/), r2(j/), . separately. 

Letffj(y,x) = where € 4',- and 1 > 

* > m. Set 



= (9iiy,x),gi{y,x),...,g,rx{y,x) (») 
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where y € V^,_, and x € V,. 

Theorem 6 F(y,x) constructed above is an (n, fn,t) 'resilient function. 

Proof. Consider an arbitrary nonzero linear combination of the component 
functions ofP{«) , say P{z) = Cigi{y,x),Ci S GF(2). By Theorem 1, 
each ^ is an balanced tth*order correlation immune function, i.e. is a (n, 1 , t)- 
resilient function. By Theorem 5, F is an (n, tn, f)*resilient function. 
Theorem 7 Let n, a be integers with n > a > 2 , Denote by ^ the maximal 
number of times a linear functions (^i € Ki-s) appears in 'J'i, 1 < t < m, 
and let q = < i < m}. Then the nonliearity of function obtained 

from (*) is Nf > a""* - p2*"^ 

Proof. Denote the sequences of ft(y, l)by , 1 < i < m. Let P{z) = 
©tel Ci9i{y~x)> then the sequence ofP(z) < = © ... ® Select 

an affine functions 1 ( 1 ) on Vnarbitarily, denote its sequence. Then 

<^y(i >=< ciCj,, ® >< moa:{< > |1 < » < m}. 

by theorem 2, therefore Np > maxi<i<m = 2”“' -p2*”^. SoNp > 2”“* - 
p 2 *“* according to the definition of nonlinearity. 

Corollary 1: Let n, m, t be integers with n > m, if there exits an integer a , 
such that 



(f+l) + (t + 2)+-+C) 



> m2’’ 



then the nonliearity of function obtained from (*) is Np > 2 ” * — 2 ®“*, 
Next, we discuss the algebraic of function obtained by our method. 



m 

deg{F) = mm{deg(/i)|ft =» 0 Ci 3 i,c< e GP(2),(ci,,,.,Cm) {0,...,0)} 



Theorem 8 If > m2"'*, then the algebraic of function obtained from 
(*) is n — a + 1. When a = f + 1, the function achieve the maximum algebraic 
degree tn — t— 1. 

Proof Anange the functions in on the length and footnote of variable 
ascending alphabetical order. Select functions from in order from 

beginning and separate then into m sets. Denote the sets 4'i, ^2j •••! Then 
construct multi-output function by method (*). It is easy to prove the algebraic 
degree ofthe arbitrary nonzero linear combination ofg(l < i < m)isn— a + 1 . 
By the definition of F, we have deg{F) = n — a + 1. 

Theorem 9 In the construction (*), if each 4'j(l ^ t > m) are not multiset, then 
F{y,x) satisfies the propagation criterion with respect to all 7 with 7 = (a,)9), 
a 6 Vn-s, 6 V, and Q 5 ^ 0 . 
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Proof. For any arbitrary 7 = (tl, /3), Q 6 ^ G Vj and a ^ 0 and nonzero 

linear combination (ci,C 2 , Cm) ^ ~ have: 

tn m 771 

E^.©E Ci 9 i (27) = Cj ( 3 i (z) ® 5, (2 + 7)) . 

isl i=l »=1 

by [5, theorem 5], gi{z) ® pi(z © 7 ) is balance. Therefore Ci( 3 i( 2 ) © 
gi{z 0 7 )) is balance too. i.e. F satisfies the propagation criterion with respect 
to 7 . 

5. Example 

We construct n=ll,m=3,t = 3, i.e. (11, 3, 3)-resilient function. Select 
a = 7. 





= 64 > 3 X 16 = m2"-’ 



For convenient, we denote linear function a:i, © ijj © ... 0 Xi^ as number 
sequence Let 



0<2 = 



1234 


1235 


1236 


1237 


1245 


1246 


1247 


1256 


1257 


1267 


1345 


1346 


1347 


1356 


1357 


1367 


1456 


1457 


1467 


1567 


2345 


2346 


2347 


2356 


2357 


2367 


2456 


2457 


2467 


2567 


3456 


3457 



. _ / 3467 3567 4567 12345 12346 12347 12356 12357\ 

^ V12367 12456 12457 12467 12567 13456 13457 13467^ 

Select three functions = 1,2,3) from I^u arbitrarily. By the 

method of above, we get a:} (i = 1 , 2 , 3) as following: 

9i (y. = ymym ® ® xj) ® pi {y, x) 

92 ivyx) = ® 3:5) ©P2(y, i) 

<?3(y,a:) = yiy2l/3y4(a;i 0 2:4 0 a;6 0 2 : 7 ) ® Pa(y, 

Now the multi-output function i^(y,x) : Vii -> V 3 is obtained as: F(y,x) = 
( 51 , 52 , 53 ), Obviously, F is an resilient function and resiliency t = ^,deg(F) = 
5, Nf = 2 ’*^ — 2®. F satisfies the propagation criterion with respect to all 
7=(/3,a).0^^€V^4.Q€V^7- 
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6. Conclusion 

We have studied the resilient functions using concatenation of the linear 
functions. The resilient functions obtained by our method have good crypto- 
graphic properties. In particular, it is convenient to calculate the nonlinearity of 
functions obtained and discuss their algebraic degrees and propagation charac- 
teristics. This direct construction from concatenation linear functions is more 
convenient for use in practice. 
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Abstract This paper presents two new factoring methods which apply to numbers with 
certain properties. When one factor of an integer has a long all-zero or all- 
one string in its binary representation, factorization of the integer can be made 
more efficient using one of the complementary algorithms proposed in this paper. 
Based on the proposed algorithms, new criterion for secure RSA moduli should 
be taken into account. 

Keywords: differential factorization algorithm, new criterion for secure RSA moduli 

1. Introduction 

In 1978, R.L.Rivest, A. Shamir and L.Adleman [5] proposed a public key 
cryptosystem based on the intractability offactorization. After 20 years world- 
wide study and analysis of the cryptosystem, it is believed that breaking RSA 
is as hard as integer factorization, although the equivalence offactorization and 
the security of RSA has not been strictly proved yet. There have been many dif- 
ferent good factorization method (see for example [2, 3]). Each method works 
for integers with certain properties more efficiently than others. For example, 
for an RSA modulus n = pq, the (p — l)*method can work weU mostly to find a 
prime factor p of n if p — 1 has only small prime factors. Against this method, 
the concept of “safe" modulus of RSA was proposed, which says: the modulus 
n should be the product of such two primes p and q that both p — 1 and 9 — 1 
must have a large prime factor. An integernis said to have a large prime factor 
p if pis a factor ofnandp >> ^/n. If (p — l)/2 is a prime number as well, p 
is called a perfect prime. In this paper we propose two new factoring methods 
which are complementary to each other. These methods work efficiently for 
numbers when one of their factors is very close to f • 2T* for some t and nwhile 
the other factors are not too large. We further show that some perfect primes 
are not even safe when they are used in RSA. 
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2. Right shifting and its properties 

Let n be a non-negative integer. Define by i?(n) = the integral part 
of S , It is known that R(n) is equivalent to right shifting of integer n in its 
binary representation. We denote by the repeat of right shifting 

function on n. Denote by l{n) = [logg nj + li the length of n in its binary 
representation. Then the following properties can be verified easily: 

PI: fi(n) tsOforn < 1. 

P2: R'l-'InlsO, = 

P3: If 2[n, i.e.. n is even, then for any integer 0 , R(an) =aR(n). 

P4: R(ab) > 2R{a)R{b). Equality holds if and only if tt = li = 1 or 2|o, 2|6. 

PS: fl(ah) > oil(6). Equality holds if and only if 2|n or o € {0. 1}. 

P6: R(o + 6) = R(o) -t- R(6) if 2|a6, and R(o-h 6) = R(a) -f R(b) + 1 otherwise. 

P7: R(a — 6) = R(a} - R{b) + 1 if a is even and 6 is odd. and 

R(a — 6) = R(a) — R(h) otherwise. 

For a positive integer n and an odd integer d, define another function 




if 2 |n, 

else. 



It is seen that ri(n) = i?(n). So the function rj(n) is a generalization of 
ii(n). The relationship between r^(n) and il(n) can be expressed as 



rd(n) = fl(n) -H = R(n) - noR(d), 



where rio is the least significant bit of n in binary representation. Now we 
determine how fast the repeat applying r<j on n decreases it to 0 or less. Denote 
by = n, i = 1 , 2, • • • . For a randomly given n, each 

nbi in the sequence {n®} is equally likely to be 0 or 1. So the expected value 
of r<j(n) is rd{n) = (| + ^^)/2 = f - This gives a recurrence formula 

ji (0 — ^ By this recursion we can deduce 

(jj) _ n d d d n d 

” ~ ^ ^ ^ 2*+r ^ ~ 2' 

Set =: 0 we have k « logg Take the integral value k = flog 2 g] + 1, 
we have 



Lemma 2.1. Given an integer n and an odd integer d at random. Then repeat 
applying function Pg on n for 7 g(n) = flofij 3 I "b 1 times will expect to yield 

a value < 0 . U. P 3 ''‘”^{n) < 0 , 



3. An algorithm 

We introduce the following algorithm and analyse its performance. 
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Algorithm v4(n, d) 

Input: Odd numbers n and d. 

1. o = n. 

2 . a = Fd(a). 

3. If21o, safl = gcd(o -d,n);elseset 9 = gcd(o,n). 

4. Ifsin, output P and stop. 

5. Ifa > 1 goto step 2; else report failure and exit. 

Theorem 3.1. Let n = pQ, where p and Q do not have to he primes. If there 
exist integers k and d such that^\[q — d) and p < then the algorithm 

,4(tl, d) will yield a nontrivial factor of n. 

Pnu>f. By writing n = (t • 2*^ + d)p and the properties of F^Oand i?()we 
know that for j < /(p) < k, we have 

r‘(n)=p-i.ff(2*) + d.fi‘(p). 

Let t = l{p) - 1, then by property P2 we have a = rj,(n) = p ■ t ■ 2*^“* + d. 
If t ■ 2*”‘ is odd, i.e., t is odd and i = k, then a is even, and in the 3-rd step of 
the algorithm we get g = gcd(fp, n). Since tp < nandp|p, we get a nontrivial 
factor g ofn. If^ • is even, then a is odd. Applying Fd(o) one more time 
we get a new value a = p t At this stage, regardless whether f- 2*'"’“' 

is odd or even, the algorithm will finally find a = pf, where t' is odd. So in 
step 3 of the algorithm we can certainly find a nontrivial factory = gcd(pl!,n) 
of n. □ 

If there exits a dso that algorithm ,4(n,d) can find a proper factor of n,then 
d is called a differentia ofn associated with algorithm ,4(n, d), or a-differentia. 
Apparently the one satisfying the properties oftheorem 3.1 is an a-differentia 
of n,but not necessarily the smallest one. 

It is easy to verify that within at most 1(9) — 1 rounds, the algorithm will 
terminate. The problem now is how to find a differentia without the knowledge 
ofpand^. One way to achieve this is to set d = 1 and execute algorithm^(n, 1). 
If it fails to find a factor ofn, increase d by 2 and execute ,4(n, d) again. This 
is not efficient fen: factoring general integers where even the smallest differentia 
is very large. Note that even if the theoretical d satisfying the properties of 
theorem 3.1 has to be very large, it is possible that there exists another o- 
differentia d of n much smaller than the theoretical value. 

Let p and ^ be in binary representationand assume that there exist k and 
d < g such that “^\(q — d) and p < Then the length ofp in its binary 

representationis no longer than that of^, i.e., i(p) < /(^). It is noticed that 
the i(p) — 1 least significant bits of^ is the theoretical d which guarantees 
the factorization using the above algorithm. In order for the algorithm to be 
efficient, the /(p) — 1 least significant bits of^ should be a long string of zeros 
before a nonzero bit appears so that d can be reasonably small. 
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4. A complementary algorithm 



Define 




if2|n. 

else. 



Denote by = n, Then it can be assumed in general 

that is equally likely to be 0 or 1. So given a random the expected 

value of is 

n(‘) = A4n<‘-«) = !i!^ + j, 

With this recursion we have 



n d d 

lo =: L L L 

2 *! ^ 22 23 



+ 



d ft d 

2^ ^ 2' 



Set = d, we have k w log 2 ^ . So we have 



Lemma 4.1. Given anintegernand an oddinteger d at random. Then repeat 
applying function Aj n forj^(n) = flog 2 gl + 1 times will expect to yield 

a value < d, i.e.. < d. 

Note that when Aj(n) gets a value less than or equal to d, further applying 
Arf on it may not decrease its value at all. This is one of the differences between 
Ag and Fd which should be taken into account in algorithm design. 

Similar to algorithm A(n, d) we can develop a complementary algorithm as 
follows: 



Algorithm B{n,d) 

Input: Odd numbers nand d. 

L a = Arf(n). 

2. If 2|a, <> ® gcd(a + d,n);else g = gcd(o,n). 

3. If p|n, output g and stop. 

4. If 0 > d, fad = A(j(o) and goto step 2; 
else report failure and stop. 

Theorem 4.2. Let n = pq, where p and q do not have to be prime.s. If there 
exist integers k and d such that 2^|(q + d) andp < 2*'’*’*, then the algorithm 
B{n, d) will yield a nontrivial factor of n. 



Proof: The proof ofthe theorem is similar to that oftheorem 3.1 by noticing 
A^(n)'=p-f.i?‘(2*)-d-i?‘(p). □ 

If there exits a d such that algorithm B{n, d) can find a proper factor of 
n, then d is called a differentia of n associated with algorithm B[n, d), or 
6-differentia. Those values ofd satisfying the properties of theorem 4.2 are 6- 
difTerentiae. Similarto the case of o-differentiae, there might exita6-dilTerentja 
much smaller than those satisfying the properties oftheorem 4.2. 
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Note: In the factorization ofn = pfl using algorithm ^(n,cf), d has to be 
smaller than q. However, if algorithm 0(n, d) is used, d could be anything 
provided that it satisfies the properties oftheorem 4.2. But in practical imple- 
mentation, d is normally initialized by a small odd integer, then increased by 2 
in each trial. So it cannot be very large. Nevertheless, algorithm 0(n, d) allows 
multiple choices of d (d must be less than n in any circumstances). Once we 
find a correct d, we can get a factor of rt. 

Note: Like algorithm ,4(n,d), we cannot figure out what kind of integers are 
vulnerable to algorithm B{n,d). But theorem 4.2 tells that if one of the factors 
of n has a long all-one string in its binary representation, algorithm 6(n,d) 
works efficiently by initializing d = 1 and increased by step 2. 

5. Some perfect primes are not perfect 

Pollard's (p — 1) -factoring method works efficiently when p — 1 has only 
small prime factors, where pis a prime factor of n. As an impact ofthis method 
on RSA, it was suggested to use strong primes in RSA. A prime p is said strong 
ifp— 1 has a large prime factor. Rivest [6] further restrict the condition as: Such 
a prime p should be used in RSA that p — 1 has a large prime factor ji and ft — 1 
also has a large prime factor. Based on the algorithm ,4(n, d), when a prime 
has particular properties, even if it satisfies Rivest's condition, a composite with 
the prime as a factor can be factorized very easily. For examples, p = 16421 
is a prime, p' = 2xp-|-l = 32843 and p" = 2xp'-|-l = 65687 are primes 
as well. For any integer ti = ft'q with q < 131072, using algorithm ,4(n,d) 
it can be factorized by choosing d = 151. This is not too hard if we initialize 
d = 1 and let it increase by 2 in every round. Although ji' is by the conventional 
knowledge known as perfect prime, and satisfies Rivest condition, and it is even 
a prime applicable to Rabin cryptosystem [4], it is not safe if used in RSA or 
Rabin cryptosystem. 

In the implementation of RSA, if the primes are chosen at random, then the 
algorithms above do not work effectively. However, there are no methods to 
efficiently determine whether a given large number is prime in general case. The 
most acceptable method is probabilistic method [7, pages 129-138]. Although 
it can give us as high confidence as we wish to believe whether a number is 
prime, there is still a possibility that some people would stiU use particular 
classes of primes where their primality can be completely determined. There 
is a way to determine whether a number in the form 2® — 1 is a prime, where q 
is a smaller prime [ 1, Vol.2, page 409]: 

Lemma 5.1. Let q he odd prime. Define .sequence < > hy: 

Lo=4, L„+i = (L^-2)mod (2® - 1). 

Then‘S — 1 is prime if and only ifLq-i ~ 0. 
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Based on lemma 5.1, if a prime in the fc*m 2^ — 1 is used in RSA or similar 
systems where the security is based on the hardness of integer factorization, 
then the system is insecure as an integer having such a prime factor can be 
factorized using algorithm S(n, 1) at no cost (the first round is successful) 
provided that the remaining factor is not larger than 2?'*’ ' . So, the algorithms 
in this paper further address that practical primes used fijr designing public key 
cryptosystems should be chosen at random. 

6. Preprocessing for parallel computation 

Let 9 = /•2*^ + d, n = = p<-2* + dp. If dean be factorized into d = did 2 , 

then we can write n = pf • 2*^ + dj dap. With a similar analysis as the proof of 
theorem 3.1 we know that ifcfap < then using algorithm ,A(ri,di) wUl 
be able to find a proper factor ofn and hence d\ is an a*difTerentia. We may 
find other a-differentiac using different factorization ofdwhenpis sufficiently 
smaU. However when p is of similar size as 5 , or d is a prime as well, this 
method does not work. So we need some other techniques. 

Let m = F(<(|{n) = pt ■ 2^”' + Denote by po = If po 

can be factorized into pi — dipi, where pi < 2^ and dj is odd, then further 
applying algorithm /4(n, d| ) on m will be successful in finding a proper factor 
of n. Note that in this case the routine in algorithm ^(n, 4 ) should be revised 
so that it starts with m instead ofn itself. This preprocessing for n gives the 
following advantages: 

■ Preprocessing for n may yield a smaller di which enables algorithm 
A(n, di ) to find a proper factor of n while the smallest a-difTerentia of 
n is larger than d\ . 

■ As different value of da in the preprocessing may result in totally different 
outcomes, parallel computation is made possible by taking different initial 
values of do. 

■ When the value ofti^jis sufficiently large, further using algorithmS(K,di) 
on Til '^y more efficient than using algorithm ^(n, dj). 

Note: When n has small o-differcntia, preprocessing may lead to a worse 
result. So when implementing parallel computation, at least one computation 
is devoted to the direct algorithm A(n, d). 

Similar preprocessing techniques can be developed for the algorithm 0(n, d). 
In contrary to that of algorithm A(n,d), a value do should be added to n 
instead of subtracted fiom n. When the value ofdj is sufficiently large, using 
algorithm ,4(n, d[) may be more efficient than using algorithm B(n, di) in the 
forthcoming computation. So we can develop the following algorithm with 
multiple routines. 
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Algorithm AB{n, do, B) 

Input: Odd numbers n, do and B. 

Properties: n is the integer to be factorized; do is an arbitrary integer 
for preprocessing; B is an upper bound of the algorithm. Preprocessing: 
m = (n — do)/2; nj = (n+ do)/2. 

M'hile 2|ni do ni = ni/2. while 2 |ri 2 do nj = n:/2. 

Routine 1: 

for d = 1 to B with step 2 do .4{n, d). 

Routine 2: 

for d 1 to B with step 2 do 8(n, d) . 

Routine 3 : 

for d ~ 1 to B with step 2 do 

3.1 a = rd(rt,). 

32 If2|o, g = gcd(o — d,n); else g = gcd(a,n). 

3.3 Ifjln, output g and stop. 

3.4 If a > l,let a B! t'<i(d) and goto step 3.2; 
else report failure and exit. 

Routine 4: 

for d e 1 to B with step 2 do 

4.1 o = A<((ni), 

4.2 If 21a, g = gcd(a + d,n);elseg = gcd(a.n). 

4.3 If ff)n, output 9 and stop. 

4.4 Ifa > d,let tt = Aa(o) and goto step 4.2; 
ebe report failnre and exit. 

Routine 5; 

fur d = 1 to B with step 2 du 

5.1 a = ra(n 2 ). 

5.2 If2|a, g = gcd(a - d,n); elseg = gcd(a.n). 

5.3 If g|n, output gandstop. 

5.4 Ifa > 1, let a = rj(a) and goto step 5.2; 
else report failure and exit. 

Routine 6: 

for d s 1 to B with step 2 du 

6.1 o = Aa(Tis). 

6.2 If2|a, g = gcd(o + d,n); else g = gcd(a, n). 

6.3 If g|n, output gand stop. 

6.4 Ifa > d, let a = A|j(a) and goto step 6.2; 
ebe report failnre and exit. 

It is noted that algorithm AB (n, do, B) can further be implemented in parallel 
by feeding different values for cfc. Further digging up of the algorithm may 
include multiple preprocessing, i.e., after the preprocessing for n we get 
then further preprocess ni we get TI 2 , continue this procedure for t times to get 
nj, and then use nt in routines 3 and 4 instead of m. 

7. A few small examples 

In this section we demonstrate a few small examples to illustrate how the 
algorithms work. We denote by d~ the smallest theoretical a'differentia (as in 
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theorem 3. 1) and d'*’ the smallest theoretical 6-difTerentia (as in theorem 4.2) of 
a given number n. (dg ,dj") means routine 3 is successful and (£^,d^) means 
routine 6 is successful, where (d^ or ) is used in preprocessing, and di 
{dj or d^) is the differentia when factoring fiom the appropriate routine gets a 
nontrivial factor. Routine 4 and 5 have not been tested. 



n 




91961033 


5821730755786530029567 


p 


97 


9221 


2147483647 


9 


101 


9973 


2710954639361 


d- 


33 


1029 


830275585 


d* 


27 


6411 


243466239 


{dK,d7) 

{dt.dt) 


(1.5); (3, 7) 


(5. 45); (23. 27) 


(1,20853): (7, 16385) 


(1,11); (3,17) 


(1,207); (9, 323) 


(17,917); (39, 851) 



Table I: Preprocessing simplifies the factorization. 



From table 1 we can see that with the preprocessing, we may be able to find 
a do which is much smaller than the a-differentia and the 6-differentia of n, and 
after the preprocessing with tfc we can find a proper factor of n much easier. 

8. Concluding remarks 

In this paper we have developed two new methods for factoring integers. 
They are efficient for integers with particular properties. It is seen that one 
class of those integers in that one oftheir factors (not necessarily prime factors) 
has a long segment of all-zero or all-one string in its binary representation. 

The idea for preprocessing is that, in case one of the factors ofnhas a larger 
number of zeros compared with the number of ones (or vice versa) in its binary 
representation, but not a segment of all-zero (or all-one) string, the preprocess 
would hopefully join the strings into a longer one and consequently one of the 
complementary algorithms works. 
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Abstract In this paper, we present a simple and generic construction of systematic authenti- 
cation codes which are optimal with respect to several bounds. The construction 
is based on error correcting codes. Tbe authentication codes provide the best 
level of security with respect to spoofing attacks of various orders, including 
the impersonation and substitution attacks. Tbe encoding of source states and 
tbe authentication verification are very simple and are perhaps the most efficient 
among all authentication systems. 

Keywords: authentication codes, cryptography, linear codes. 

1. Introduction 

Nowadays authentication and secrecy of messages are two basic security re- 
quirements in many computer and communication systems, and therefore two 
important areas in cryptography. Authentication codes are designed to pro- 
vide sender and message authentication, and dates back to 1994 when Gilbert, 
MacWilliams and Sloane published the first paper in this area [see Gilbert, 
MacWiUiams, Sloane, 1974]. Later Simmons [Simmos, 1984] developed a 
theory of unconditional authentication, which is analogous to Shannon’s the- 
ory of unconditional secrecy [Shannon, 1949]. During the last tweenty years 
codes that provide authentication and/or secrecy have been considered, and 
bounds and characterizations of these codes have been established, see, for ex- 
ample, [Gilbert, MacWilliams, Sloane, 1974], [Stinson 1990], [Casse, Martin, 
and Wild, 1998], 

Most existing optimal authentication codes are constructed from combina- 
torial designs, and seem hard to implement. Even if some of them can be 
implemented in software or hardware, the implementation may not be efficient. 
In addition, these authentication codes provide protection against the imperson- 
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ation and substitution attacks, but may not provide protection against spoofing 
attacks of order more than 1 . 

The purpose of this paper is to present a simple and generic construction of 
systematic authentication codes with the following properties: 

■ The authentication codes are optimal with respect to certain bounds. 

t They offer the best security with respect to not only impersonation and 
substitution atacks, but also spoofing attacks ofhigher orders. 

■ The encoding of source states and authentication are extremely efficient 
and can be easily implemented in both software and hardware. 

The construction of authentication codes presented here is based on error cor- 
recting codes, and is different from other constructions of authentication codes, 
see [Bierauer 1997], [Bierbrauer, Johansson, Kabatianskii and Smeets 1993], 
[Gilbert, MacWilliams, Sloane, 1974], [Kabatianskii, Smeets, and Johansson, 
1996], [Simmons 1984], [Safavi-Naini and Seberry 1991], [Safavi-Naini, Wang 
and Xing 2001], using error correcting codes, in the sense that error correcting 
codes are employed to construct only the source states here in this paper. 

2. Systematic authentication codes and some bounds 

A systematic authentication code is a three-tuple A = {S, T,f), where S is 
a set of source states and is associated with a probability distribution, Tis a set 
of authenticators or lags, ^ is a set of mappings from 5 to T, and is associated 
with a probability distribution. Each e £ £ defines a one-to-one mapping 

3 (s,e(s)), 

which is called an encoding rule. Hence we also call £ the encoding rule space. 
The set 

At = 5 X {e(5) : e € f and s € «?} 

is called the message space. A systematic authentication code is used as follows. 

In the basic model for authentication developed by Simmons [Simmons 
1984], a transmitter communicates a sequence of distinct .voMrce stales SiSi-,. Si 
from the source state space <S to a receiver by encoding them using one secret 
mapping {e € £} into 

[sj,e{sj)\, ; = 

and sends this sequence of messages to the receiver. For each received message 
[ 5 , t], the receiver will compute e(s) and check whether e(s) matches t. If yes, 
the receiver will accept it as authentic, otherwise he/she will reject it. 

The messages are sent to the receiver through a communication channel 
which may not be secure. A third party, an opponent, is involved in this model. 
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We assume that the opponent can intercept the messages transmitted and modify 
or replace them. Assume that the opponent has observed a sequence of messages 

j = 1,2, 



sent from the transmitter to the receiver, where all ^ are pciirwise distinct. The 
opponent now may not be able to determine the secret encoding rule e, but may 
have obtained partial information on e. The opponent then constructs another 
message [a, t] such that Pr(e(s) = 4) is maximal, and sends it to the receiver. If 
e(s) indeed matches t, the opponent will be successful in attacking the system. 
This is caUed the spoofing attack of order ». The cases t = 0 and t = 1 are called 
impersonation and substitution attacks respectively. We use ij. to denote the 
opponent’s maximum probability of success with respect to the spoofing attack 
of order *. We assume that the opponent knows the whole system except the 
secret encoding rule e shared by the transmitter and receiver. 

It was proved in [Rosenbaum 1993] and [Sganxj 1993] that 






( 1 ) 



for any / > 0. Here denotes the set of all possible sequences of I pairwise 
distinct messages and H denotes the uncertainty. This is the information- 
theoretic bounds which hold for authentication codes with and without secrecy. 
We shall need these bounds later. 

We have also the following bounds. 



Lemma 2.1. [Sinson 1990] In any systematic authentication code, ij. > 
for any t > 0. 



Lemma 2.2. [Sinson 1990] In any systematic authentication code, if 
for any L > i > 0, then 




tf|> 




( 2 ) 



A transversal design TD;^(4, ^,n) is a triple (X, P. A), where X is a set of 
in points, F is a partition ofX into £ groups of n points each, and ,4 is a set of 
An* blocks, each ofwhich meets each group in a point, such that every f-subset 
of points from distinct groups occurs in exactly A blocks. 

A systematic authentication code for which for 0 < i < X, and 



which 

\\S\) 



is said to be optimal with respect to the bound of (2). Such optimal authentica- 
tion codes can be used to construct transversal designs. 
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Theorem 2.3. [Sinson 1990] Assume there is an optimal systematic authenti- 
cation code for i source states, having v messages and {vjtj encoding rules, 
and for which ~ t/v /or 0 ^ ^ ^ Then there exists a transversal 

design TDi(t,^,n), where n = v/t 



The following is a combinatorial bound. 

Lemma 2.4. [Sinson 1992] In any systematic authentication code, if 
for t = 0, 1, then 



I 

m 






(3) 



This bound has been generalized into the following; 



Lemma 2.5. [Kurosawa, Okada, Saido, and Stinson, 1998] In any sy.stematic 
authentication code, if ^ for t = 0, 1, • • • ,t, then 



if told 

tlL'o (f )(I7'I - 1)‘ + CS')(|-7'I - ift 



(4) 



The equality can he obtained if and only if £ is uniformly distributed and the 
authentication matrix is an orthogonal array with strength f + 1, 



This bound is a generalization of the classical Rao bound for orthogonal 
arrays [Colboum and Dinitz 1996, p. 180], It is also an analogue of the sphere 
packing bound for linear codes [MacWilliams and Sloane 1977], 



3. The construction of the authentication codes 

We shall use to denote the finite field with q elements. Let /c be a positive 
integer, and let A be another integer such that 1 < A < fc. 

1 The source state space »Sof our authentication codes is a set of i nonzero 
vectors in such that any A of them are linearly independent. We 
assume that all source states are used equally likely. We will deal with 
the specific constructions of S later in Section 4. 

2 The tag space T of our codes is F^. 

3 Our space £ is defined by f = FJ. Here all encoding rules are used 
equally likely, and for each e £ £, the encoding rule defined by e is 

u («,e(u)), 

where e(ti) = ejtii + 6203 + • • ■ + e*uj; and e = {ej , 63, • • ■ , e*) € ^ 
andu = (ui,U2,’-- ,Ufc) € 5 . 
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Having described the construction of the authentication codes, we now cal- 
culate the deception probabilities with respect to the spoofing attacks of 
different orders i. 



Theorem 3.1. For the authentication code described above, we have R, — 
where 0 < i < A < A, In addition, if ^ + 1 elements in S are lineany 
dependent, then = 1. 



Proof: Consider the spoofing attack of order t with 0 < * < A. In this case, 
the opponent has observed i pairwise distinct messages (^,e(aj)). Note that 
all encoding rules are used equally likely, and all source states are used with 
equal probability. Recall that by the definition of the source state space, the 
vectors Si , S2i ' ' • > ^ linearly independent. Also the vectors Si, S 2 , • • ■ , Si 

and Sj+i are linearly independent for any Sj+i 6 5 which is different from 
^ti '*2i ' • ' Wehave 






max max 



|{e : e(sft) = = 1, 2, - • • -b 1}| 

\{e:e(sk) = th,h = l,2,-'- ,*}| 



1 

q' 



Clearly, = 1 if A + 1 elements in 5 are linearly dependent. □ 



We now consider the optimality of the systematic authentication codes con- 
structed in this section. 



Theorem 3.2. The authentication codes constructed above meet the infor- 
mation theoretic hounds of (I) and the hounds of Lemma 2.1 for all i with 
0 < i < A. Hence they are optimal with respect to the.se hounds. 

Proof: The proofs are straightforward and are omitted here. O 



Theorem 3.3. If ^ = k, the authentication codes constructed above meet the 
hound of (2), and give transversal de.signs TD,(fc.|5U). 



Proof: Note that the message space f4 — S x Pj. We have = q. Hence 

1^1 ~ (^i^} if A = A:. Therefore the codes are optimal with respect to the 
bound of (2) if A = fe. The conclusion about transversal designs then follows 
from Theorem 2.3. □ 



4. Specific constructions of authentication codes from 
error correcting codes 

The construction of authentication codes presented in the previous section 
is generic. Different constructions of the source state space S yield different 
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systematic authentication codes without secrecy. In this section we present a 
number of constructions of the source state space S using error correcting codes, 
and thus obtain several classes of authentication codes within the framework of 
the generic construction of Section 3. 

In the generic construction, we require that 1 < A < fc. In fact the case 
A = 1 is not interesting. So we shall consider only the cases that 2 < A < A. 
In our construction, the source state space 5 is a subset 5 ofF* such that any 
A of them are linearly independent. For optimality purpose and in view of the 
bounds of (2) and (4), we wish to have the size of «S maximal when A and 
k are fixed. We are interested in not only the maximal size, but also specific 
constructions of such sets. 

Note that A > 2. Our source state space 5 is actually a subset of the projec- 
tive space PG(A:— !,<?). We now present a generic coding-theory construction 
of the source state space S. Before doing this, we need some notations and 
notions from finite geometries. 

Let PG(fT,g) be the projective space of /T dimensions over the finite field F(j, 
q = p'^with pbeing prime, and let |PG(A’,g)| " 0 /(? “ U- 

A set of points in PG(/f, q) are linearly independent if and only if the vectors 
representing them are a set of linearly independent vectors in the space 
In PG(i^,g'), subspaces will be denoted by H, where iis the dimension of the 
subspace. A Ho is apof'nf, alli is a /»«(?, and a II 2 is alia isasolid, 

and a !!/<•_ 1 is a hyperplane or prime. 

An (i,r)-set is a set of £ points at most rof which lie in It-i but somer-|- 2 
lie in a 11^; that is, r -f 1 points are always linearly independent, but some r -1- 2 
points are linearly dependent. We use Mr {k, q) to denote the maximum £ such 
that an (^,r)-set exists. 

Any (£, r)-set could be used as the source state space S in the construction of 
Section 3, and the authentication code obtained will still be optimal with respect 
to the information-theoretic lower bounds of(l). But we are interested more in 
the lower bound of (2), and thus the case that A = k. The construction of(£, r)» 
sets is an important area in finite geometries (Hirschfeld and Storme 1998]. 
Here we intend to present some (^, r)-sets constructed from error correcting 
codes and thus some constructions of authentication codes within the generic 
construction of Section 3. 

Linear error correcting codes can also be used to construct {£, r)-sets. An 
linear code C over Fg is a A;-dimensional subspace ofF^. A generator 
matrix G of C is any matrix whose row vectors form a basis of the subspace C. 
The column vectors of any generator matrix G of an [^, /c] linear code form an 
{£, r)»sel, where r = d — 2 and d is the minimum distance of the dual code of 
C. Of course the size of such an {f, r)-set may not be maximal, i.e., it may be 
smaller than Mr(fc, q). However, such an (i, r)-set can be used as the source 
state space in the construction of Section 3, and the authentication code is still 
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optimal with respect to the information theoretic bounds of(l) and the bounds 
ofLemma 2.1, but may or may not be optimal with respect to the bound of (2). 

The coding theory construction above of(^, r)-sets is generic and effective. 
As long as the minimum distance ofa linear code over Pg is known, any gener- 
ator matrix of its dual code gives an (f, r)»set. In the following subsections, we 
use specific error correcting codes to construct (f, r)-sets, and thus the source 
state space S and the corresponding authentication codes. 

4.1 The construction from MDS codes 

An linear code with d = i — k + I is called maximum distance 

separable, or MDS for short. The dual of an MDS code is also an 

[^,f- A:,A:+ 1)MDS code. Let Cbe an (£, fc.d) MDS code overFg, and G be a 
generator matrix of C. Define S to be the set of column vectors of G. Since 
has minimum distance fc -t- 1 , any k elements of S are linearly independent and 
at least one set offe -t- 1 elements of are linearly dependent. With this source 
state space 5, the generic construction ofSection 3 gives an authentication code 

(S,T,S) with 



\S\=e, \T\ = q, 

for i = 0, 1, • ■ • , fc — l,but = 1. This authentication code is optimal with 
respect to the bounds of (1) and Lemma 2.1. 

MDS codes over Fg with the following parameters exist [MacWilliams and 
Sloane, Chap. 11]: 

1 [q — 1, — fcj Reed-Solomon codes, where 1 — 1; 

2 [q, fc, q — A; -b 1] extended RS codes, where 1 < fc < q; 

3 [q -1- 1, A:, q - A: + 2] cyclic codes, where 1 < A: < q + 1. 

Consider the authentication code based on a [q-b 1, A, q — fc + 2] code, where 

q is odd. If A: = 2, it is easily checked that the bound of (4) is met. If A: = 3 or 
A: = 4, this bound is not met. 

A permutation polynomial F{x) over Fg is a polynomial over Fg and a 
permutation of Fg. An o-polynomial is a permutation polynomial over Pg 
of degree at most q - 2, satisfying F(0) = 0 and F(l) = 1, and such that 
Fj(x) = (F(x + a) — F{s))jx is a permutation polynomial for each s £ Fg, 
satisfying Fj(0) = 0. There are several classes of o-polynomials over Pg 
when q is even [Hirschfeld and Storme 1996]. For example, F(i) = a? is an 
o-polynomial. 
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Let <0, <!,••• ,<g_i denote all the elements ofF^, and letF(®) be an o- 
polynomial over F^. If ^ is even, the following matrix 



G = 



0 0 1 1 

0 1 to ti 

1 0 F(to) F{U) 



1 

tq-l 

F{tq~i) . 



generates a [^ + 2, 3, q] MDS code. Its dual has parameters [^ + 2, ^ - 1, 4], 
Since there are a number of o-polynomials F(a:), we have a number of classes 
of [q + 2, 3, q] MDS codes over F^. We now prove that the authentication codes 
based on these MDS codes are also optimal with respect to the bound of (4). 
In this case, we have f = 2, )<S| = 9 + 2 and )T| — q. Hence 

Thus the bound of (4) is met. 

4.2 The construction from the duals of almost MDS codes 

An \ty k, d] linear code with d = i — k is called almost maximum distance 
separable, or almost MDS for short [De Boer 1996], Let C be an [i, i - k,k] 
almost MDS code over F^. Then C"*" has dimension k. Define «S to be the set 
of column vectors of a generator matrix ofC^. Then any fe — 1 elements of 
5 are linearly independent, but some k elements of S are linearly dependent. 
With this source state space S, the generic construction of Section 3 gives an 
authentication code {S,T,£} with 

| 5 | = ^. \r\ = Q> = = ^ 

for* = 0,l,--' , fc — 2, but = 1, This authentication code is optimal with 
respect to the first two types of bounds described in Section 2, but not optimal 
with respect to the bound of (2) in general. However it could be optimal with 
respect to this bound in certain cases, as demonstrated below. 

The dual of a MDS code is still MDS. But the dual of an almost MDS code 
may not be almost MDS. If a code and its dual both are almost MDS (AMDS), 
the code is called near MDS (in short, NMDS). In fact almost MDS codes are 
much more complicated than MDS codes. For example, the weight distribution 
of MDS codes is known, but that of almost MDS codes is not determined. 

There are several classes of almost MDS codes. The [tp +q+ 1, +q — 2,3] 
Hamming code is almost MDS. Its dual is the + q+ 1,3, q^] simplex code. 
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Theorem 4.1. The authentication code based on the dual of the[(f 
simplex code has 

+ |n = q, \e\=q\Pi, = ^~ 

for i = 0 , 1 , hut Pdj = 1 . 

This authentication code is optimal with respect to the first two types of 
hounds described in Section 2, but not optimal with respect to the hound of (2). 
However it is also optimal with respect to the bound of (4). 

Theorem 4.2. There is a — 3,4] almost MDS code C over Fqfor 

odd q [Hirschfeld and Storme 1996}. The authentication code based on has 

151 = 92 + 1, |r| = 9, \E\=q\P,, = '^~ 

for i = 0 , 1 , 2 , hut p^j = 1 , 

This authentication code is optimal with respect to the first two types of 
hounds described in Section 2, hut not optimal with re.spect to the hounds of 12) 
and (4). 

4.3 The construction from the duals of perfect codes 

An [£, k, 2e + 1) code over is called perfect if 

( 5 ) 

i=0 ' •' 

Theorem 43. Let C he an (i, f — fc, 2e + 1] code over Fq. The authentication 
code based on C"*" has the following parameters 

|5|=^, m = 9, = = l 

/or t = 0, !,•• • ,2e “ 1. 

This authentication code is optimal with respect to the hound of (2) if and 
only if k = 2e, i.e., if and only ifC ii an [£,( ~ k,k + 1] MDS code. 

This authentication code is optimal with re.spect to the hound of (4) if and 
only if C is perfect. 

Proof: We now prove that the authentication code is optimal with respect to 
the bound of (2) if and only ifi = 2e, i.e., if and only if C is an [f, f — fc, A + 1] 
MDS code. Note that jf| = 9 *, |A4|/|5| = 9 , and L = 2e — 1. We see that 
the bound of (2) is met if and only if fc = 2e, which is equivalent to C being an 
+ MDS code. 
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The bound of (4) holds if and only if(£j = ~ 1)‘ which 

becomes ~ ^,-_o 1)*' This is equivalent to ^ 

1 )’ which is the condition for C being perfect. □ 

There are only three types of perfect codes [MacWilliams and Sloane, Chap- 
ter 6, Section 10]: 

■ The ((q* - l)/{q - 1), (q* - l)/{q - 1) - A,3j Hamming codes. 

■ The binary [23, 12, 7] Golay code. 

■ The ternary [1 1, 6, 5] Golay code. 

The column vectors of the generator matrix of the simplex code consists of 
aU points in PG(A — l,q). The simplex code has length — l)/(q — 1), 
dimension k, and minimum distance Its dual code is the[(q* — l)/(g — 
1)> (9*^ ~ l)/(9 ~ 1) “ A:, 3) Hamming code. These three perfect codes give 
authentication codes which are optimal with respect to the bound of (4). 

5. Open problems 

The bound of (4) is not tight at least in the case t being odd. It may be 
strengthened into a bound similar to the Johnson bound using similar techniques 
[MacWilliams and Sloane, pp. 532-533]. 

Open problem: Strengthen the bound of (4). 

With respect to our construction and the bound of (4), perfect codes give 
the best authentication codes. However, Hamming codes are the only class of 
perfect codes which contains infinitely many codes. We may use nearly perfect 
and quasi-perfect codes [Pless 1998, p. 132] to construct good authentication 
codes within the framework ofthe generic construction described in this paper. 

6. Concluding remarks 

In this paper we presented a simple and generic construction of systematic 
authentication codes with the properties outlined in Section 1. The encoding 
of a source state or the authentication checking takes only fc — 1 additions and 
k multiplications over Fg, and thus are extremely efficient. In addition, the 
systematic authentication codes constructed in this paper are based on error 
correcting codes and thus are algebraic. 
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Abstract Binary expression of integer sums is investigated. A precise formula is presented 
for the coefficients of binary expressions of integer sums. This formula is a basis 
for some other results. 
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1. Introduction 

Sequences over F 2 are very important both in theory and practice. They at- 
tract more and more attentions with the development of computer and modem 
cryptography. Sequences over can be derived from sequences over Zq* -the 
ring ofinteger ring modulo 2®. Some way of deriving pseudorandom binary se- 
quences from sequences over Zi 2 * is investigated in [1]. And in the same paper 
the periods and linear complexities of the derived sequences are investigated as 
well. 

Since the way of handling overflows in Z 2 « is different from that in Fje , 
sequences over Z 2 ' are ofparticular interest from an application point of view 
as they can be generated very efficiently on microprocessors when e is the word 
length of the processor. 

In China cryptography researchers have noticed the significance of sequences 
over Z 2 « in 1980’s and worked on them systematically [2-8]. 

Recently, studies on sequences over Zg* are still active [9-11]. As a natural 
generalization sequences over Galois rings have been discussed[12-14]. 

In the study of sequences over Z 2 « the carries of sequences over Zje play 
an important role. We observe that the carries of sequences over Z 2 * are based 
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on properties of integer sums in Z 2 « • Therefore, we focus on study of integer 
sums in this paper and present a precise formula for the coefficients of binary 
expressions of integer sum utilizing Lucas’ Theorem. We point out that this 
formula can be used to improve the results in [1] as an application . And as 
another application we plan to use this formula to present a proof for the result 
given in [5] which has not been given a complete proofuntil now. We point out 
that our result can be generalized over Zpt further and may cause generalization 
of concepts and results of sequences overZs* to that over Zpt where pis aprime. 

2 . preparation 

At first we present Lucas’ Theorem and its proof for the sake of convenience. 

Lemma 2.1 (Lucas’ Theorem^'^^). Let a = Oj € {0, 1}, b = 

E.=l*i2S6i€{0,l}- Then 

(l)=n© c> 

Proof. Let xbe an indeterminate and consider thepolynomial(a;+ 1)“ € Fafxj 
where F 2 the binary field. Expanding (x + 1)“ over F 2 we have that 



On the other hand, 



N 

(x + 1)“ = (x + + 0“’ 

i=l 




(3) 



Consider the coefficient ofx^in (3). For the uniqueness of binary expression 
of b it is easy to see that the efficient of a^is 




(4) 



Taking into account of (2), (3) and (4) one achieves (1) 



a 



Secondly, we introduce a classical result on the binary expression ofbit sums 
which was presented in [16]. As an application of Lucas’ Theorem we present 
the proof of this result. 
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Lemma 12. ' Cj G {0, 1}, 1 <i< N. and aj € {0, 1}, 1 < j < e, and 

= (5) 



‘=1 ;>0 



then 



^ •■•Cij, (mod 2). 

Proof. Firsdy we assume Cj ^ 0 for all 1 < i < ^, In this case we have 



E 



CjiCj} ' • ' Cj 






And by Lemma 2.1 we have 



(^) = _n (i‘) = »i ("'»<! 2). where i., = | J 



= J. 

0, t^j. 



Thus, combining (7) and (8) we obtain equation (6). 

As for the case of q = 0 for some i we may assume that 



Y,Ci=n. 

tsl 

And it is easy to see that equations (7) and (8) are transformed into 

c»iCt2 ■ • - ; 



G‘) = s 






and 



2<)=n(y=“r (”“>“2), whenr6, = |J;*^2. 

Combining (9) and (10) we obtain equation (6) as well. 



( 6 ) 



(7) 



( 8 ) 



(9) 



( 10 ) 

□ 



3. Main theorem 

Suppose there are N integers which are expressed in binary forms. If the sum 
of them are expressed in binary form, we want to know the coefficients of 
the binary expression as a combination of the integers binary coefficients. We 
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present a precise formula in following which can be view as a generalization of 
Lemma 2.2. 

Firstly, we need some notations and concepts to make the description of the 
result clear and easy. 

For simplicity of narrative we suppose the integers involved are all in the 
ring Z 2 e+i-integer ring modulo and expressed in binary forms. 

Definition 3.1. Set 

ilk = {(hk)\0<i<N] (It) 

and 

U Ofc. (12) 

0<A;<e 

Let be indeterminate, (i, A) G fifc. By X we mean a set of indeterminates 
with (t, k) € fifc, 0 < A < e. 

Let / = U /*, Ik C flk, define 

(13) 

0<*<e 

where |/fc| is the number of elements in /*. 

Definition 3.2. 

nf(X)= J] x,,fc (14) 

and 

hiX)= n,iX] (15) 

/cn,|/|=A 

are called minor term function and A-function respectively. 

We may consider now the integer sum. We assume the integers have been 
expressed in binary forms and present the result in terms of notations and 
concepts we defined above. 

Theorem 3.3. Suppose m = € {0, l}, 1 < i < N,0 < 

k < e are positive integers in Z 2 e+i. Let 

d= m= ^ (mod 2*). (16) 

l<i</V i<i<N,0<k<e 

^3 ~ /z' W li, ,*=</(> (mod 2). 



(17) 
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Proof. Suppose d = (di.k)- Define 

fi*(d) = {{i,k) 1 = 1.1 < i < JV} C ilfc, (18) 

si(d)= U n,(d} 

0<*<e (19) 

- {(i.fc) I = 1, 1 < t < iV,0 < A; < e} C n. 

We prove this theorem by claiming several facts. 

If for a given / C fl we define 

7r/(d)-TrnX}|,,,=rf,„ (20) 

then according to definition of Q(d), the following fact is evident. 

Fact 3.4. 



^i(d) = { J; 



I cm, 

otherwise. 



Fact 3.S. Letdk = D(i,*)gn*{rf) 







(mod 2). 



Proof This is another expression ofLemma 2.2 in our language. 



( 21 ) 



( 22 ) 

□ 



Fact 3.6. 




I ~ ^ 2)- 



( 23 ) 



Proof. By Fact 3.5 we have 



= ( 53 53 

|/ol=JO |tel=i« 
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And if / = /fc, then 7f/(X) = tt/JX) • - • 7r/,(X), So we have 

( ^ 7T/o(‘l))---( X] 

fsn(d) /*Cfl.(d) 

Uol=JO \lt\~3e 

= 7r/(d) 

/=Uo<»<. ^*cn(«i) 

= ^ Jr/(d} {mod 2). 

/=Uo<k<e 

The last equality is from Fact 3.4. □ 



From Fact 3.6 we may directly claim 
Fact 3.7. 



S S (mod 2). (24) 

\ \J0/ \3e/ 



O'o,-' j«) 

Y^0<k<e Jk2‘'=A 



ICO(d) 

|/|=A 



Fact 3.8. Suppose d — r/ifn 

= fx{X) \x=4 {mod 2) , 

where fx(X) = i;/cn.|/|=A^/W- 

Proof. We expand the following polynomial over 5^ 

+ 1)*'* 



= n E 

0<*<e0<jk<* 



,3k 



= V-?^ Y' V • ■ 
nr: uo/'"U/' 



•^>0 (io. •••/«) 
i:j<.2*=A 



(25) 



(26) 




On the other hand, 



( 27 ) 




51 



On Coefficients oj Binary Expression of Integer Sums 

Thus, comparing the coefficients ofz* in (26) and (27) we have 




E 



(jO.'Je) 



53 " 53 ix=d 



/cn(d) 

|7|=A 



icn 

i/r=A 



A(X) Ix=d (mod 2). 



□ 



By Lucas' Theorem (Lemma 2.1) taking a = d and b = 2* we have Dj = 
By Fact 3.8 we have = fvO^) lx=d' completes the proof of 
Theorem 3.3. □ 



4. Conclusions 

In [1], the concept of carry sequences is defined for linear recurring sequences 
over 22«. Applying the result in this paper the concept and result in [1] can be 
simplified. For the reason of limited space and comphcated notations the work 
will be left for another paper. 

As a matter of fact, our original ambition is to present a proof for the main 
lemma in [5] and finally give the detailed proof of the lower bounds of linear 
complexity of sequences over - In the process of working on this task, we 
gradually clarify the essence of the problem and abstract the key concepts and 
reach the result. Applying this result we can achieve our original goal, but it 
will be a lengthy work and we will not do it in this paper. 

We point out that our result may be generalized without any difficulties in 
essence. The more significant goal in our mind is to generalize the concepts and 
results of sequences overZj,«. We consider it a more difficult task to complete. 
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Abstract Proxy signcryplion scheme is the combination ofpcoxy signature and encryption. 

This paper presents a new proxy signcryption scheme based on Shin et al.'s 
DSA-verifiable signcryption Scheme. As compared to the previons schemes, the 
proposed scheme has the following advantages: it can protect the proxy signet 
against the original signet's forgery attack; it can be pnblicly verified; it provides 
forward secrecy property with respect to the proxy signer. 

Keywords: signcryplion. proxy signature, proxy signcryption 



Introduction 

Secure and authenticated message transmission is one of the major aims 
of computer and communication security research. The traditional method to 
achieve this is signature followed by encryption. Nyberg and Rueppel suggested 
an authenticated encryption scheme of this type as an application of their mes- 
sage recovery signature scheme [1]. An authenticated encryption scheme is a 
message transmission scheme which sends messages in a secure and authentic 
way. Basically, an authenticated encryption scheme should satisfy the follow- 
ing properties: 

(1) confidentiality: it is computationally infeasible for an adaptive attacker to 
find out any secret information from a ciphertext. 

(2) authenticity (unforgeabihty): it is computationally infeasible for an adaptive 
attacker to masquerade as the sender in sending a message. 

(3) nonrepudiation: it is computationally feasible for a third party to settle a 
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dispute between the sender and the receiver in an event where the sender denies 
the fact that he is the originator of the message. 

In 1997, Zheng introduced the concept of signcryption schemes [2], It was 
claimed that authenticity, confidentiality and nonrepudiation were gained and 
the efficiency is superiorto all schemes based on the aforementioned paradigms. 
However, Petersen etal. pointed out that the way to gain nonrepudiation violates 
the confidentiality in Zheng's scheme [3]. Later on many improved schemes 
are suggested [4, 5, 6]. 

In 1998, Gamage et al. introduced the notion of proxy signcryption [7]. 
Proxy signcryption scheme is the combination of proxy signature [8] and en- 
cryption. Since Gamage et al.'s proxy signcryption scheme is based on Zheng's 
original scheme, it has some weaknesses as Zheng's scheme. Later on, Jung 
et al. proposed a scheme to overcome the weakness in Gamage et al.’ scheme 
[5]. However, Jung et al.'s scheme can not be publicly verified. In this paper, 
the authors propose a new proxy signcryption scheme based on Shin et al.'s 
DSA-verifiable signcryption Scheme. As compared to the previous schemes, 
the proposed scheme has the following advantages: it can protect the proxy 
signer against the original signer’s forgery attack; it can be publicly verified; it 
has forward secrecy property. 

1. Related works 

In this section, we give a brief description of Gamage et al.’s proxy signcryp- 
tion scheme and Shin et al.’s DSA-verifiable signcryption Scheme. Throughout 
this paper, we will use the following setting. Let p, q, and g be the public pa- 
rameters: p a large prime, q a large prime divisor of p — 1 and g an element in 
Zp of order q. Let W be a one-way hash function. Encrypting a message m 
with a key k is indicated by Ek (w) while decrypting a cipher c with a key k is 
denoted by Dk (c), We use KHk (m) denote hashing a message m with KH 
under a key k. We assume that the original signer is Alice and the receiver is 
Bob. The secret key and public key pairs of Alice and Bob are (x/i,y/[) and 
{xb, 2/b), where mod p and mod p. The secret key and 

public key pairs of the proxy signer is (xp, yp), where yp = mod p. 

1.1 Gamage et al.’s proxy signcryption scheme 

Proxy key generation: Alice randomly selects al ^ and computes 

K' = g^' mod p and Xap = Xa + x'K' mod q. 

Alice sends {Xap, K') through a secure channel to the proxy signer. The proxy 
signer accepts Xap as a valid proxy signature key only if the following equation 
is holds: 

P^*^ = ya/s:'^'>nodp. 
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Proxy signcryption: The proxy signer randomly chooses x € ^ and com- 
putes 

k — mod p 

Then he splits k into A:iand k 2 . and calculates 

c = (m) , r = KHki (^) ^nd s = x/ (r + Xap) mod q. 

The proxy signer sends (c, r, s, K') to Bob. 

Proxv unsigncrypiion: Bob computes 

yap = ya^'^‘ modpandfc= (yop/)”® mod p. 

then splits k into fciand k 2 . He recovery the message m = Dj, (c) and accepts 
tn is a valid message of the proxy signer only if the following equation holds: 

KHk^ (m) = r. 

Similar to Zheng’s original scheme, in Gamage et al.’s proxy signcryption 
scheme the following equation is holds: 

= = mod p. 

When a third party knows x^p, he can computes fc as in the right side of the 
equation. So this proxy signcryption scheme does not provide forward secrecy 
property with respect to the proxy signer. Since Alice knows x^p, this scheme 
does not protect the proxy signer from Alice to forge a proxy signature. More- 
over, the proxy signature of this scheme cannot be publicly verified. 

1.2 Shin et al.’s DSA-verifiable signcryption Scheme 

Signcryption: Alice randomly chooses X € and carries out the following 
procedures to signcrypt the message m: 

1. K ^ Pp mod p 

2. Ki==H{K) 

2. k = modp 

4. r = fc mod q 

5. h = H{m) 

6. a — {h + X/ir) /x mod q 

7. Bi = h/a mod q and 62 = r/s mod q 

8. c = Ek, (m,ei,e2). 

Alice sends (fc, e) to Bob. 

Unsigncrypiion: Bob carries out the following procedures to unsigncrypt the 
message m: 

1. K = fc®B modp 
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2. K, =ff(K) 

3. c = £’«•, (m,ei,e 2 ) 

He accepts m is a valid message of Alice only if the following equation holds: 



k = mod p. 



Publicly verification: Bob sets 

1 , r = mod p mod q 

2. 3 = r/e 2 mod q 

and sends {m,r, s) to the verifier. 

The signature (m, r, s) is a DSA-verifiable signature [9]. 

2. The proposed proxy signcryption scheme 

Proxy key generation: Alice sends [x^p, through a secure channel to the 
proxy signer. The proxy signer accepts Xap as a valid proxy signature key only 
if the following equation is holds: 

£?*“'■ = modp. 

Proxy signcryption: The proxy signer randomly chooses x € ^ and carries 
out the following procedures to signcrypt the message m; 

1. K = y% modp 

2 . Ki=H(K) 

3. k = modp 

4. r = k mod q 

5. k= H (m) 

6. a = (hxp + Xapr) /x mod q 

1. 6] = hjs mod q and = r/s mod q 

8. c = Eki (m.ei,C2). 

The proxy signer sends (k, e) to Bob. 

Proxy unsigncryplion: Bob computes y^p = mod p and carries out 

the following procedures to signcrypt the message m: 

1. K = modp 

2 . Ki =H{K] 

3 . c = Bki (m, 61,62) 

He accepts m is a valid message of Alice only if the following equation holds: 



* = 2/p 1/op niodp. 



Publicly verification: Bob sets 
1- r = modp mod q 

2.8 = rje^ mod q and sends (m,r, s, K') to the verifier. 
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3. Analysis 

The security analysis of our scheme is similar to that of Gamage et al.'s 
scheme. We only consider the following three problems. 

Since the secret key xp is used in the proxy signcryption phase, only the 
proxy signer can create a valid proxy signcryption. Bob can assure of the proxy 
signer's identity. This scheme can protect the proxy signer against the original 
signer's forgery attack. 

Even if lop is revealed, a person cannot computes K = mod p since 
he does not know the value oixp. Therefore, our scheme provides forward 
secrecy property with respect to the proxy signer. 

In a later of dispute. Bob can send (m,r, a, to a verifier. The verifier can 
settle the dispute. Therefore, our scheme is publicly verifiable. 

4. Conclusion 

Proxy signcryption scheme is useful for applications that are based on unre- 
liable datagram style network communication model where messages are indi- 
vidually signed and not serially linked via a session key to provide authenticity 
and integrity. In this paper, we have proposed a new publicly verifiable proxy 
signcryption scheme. The proposed scheme can overcome some weaknesses 
of the previous schemes. 
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Abstract Proxy signatures were first introduced by Mambo, Usuda, and Okamoto. After 
that, many proxy signature schemes and various types of proxy signature schemes 
have been proposed. Due to the various applications of the bilinear pairings in 
cryptography, many ID-based signature schemes have been proposed. In this 
paper, we propose a general constmction of proxy signature with warrant from 
ID-based signature schemes using bilinear pairings, and give some concrete proxy 
and proxy bhnd signature schemes based on existed ID-based signature schemes. 
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1. Introduction 

The concept of proxy signature was first introduced by Mambo, Usuda, and 
Okamoto in 1996 [9], The proxy signature schemes allow proxy signers to sign 
messages on behalf of an original signer. Such signatures have found numerous 
applications, particularly in distributed computing where delegation ofrights is 
quite common. After Mambo et ai's first scheme was announced, many proxy 
signature schemes have been proposed. Furthermore, proxy signatures can 
combine other special signatures to obtain some new types ofproxy signatures. 
Till now, there are various kinds ofproxy signature schemes have been proposed. 
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such as threshold proxy signature [16], proxy multi-signature [13], proxy blind 
signature, ect. 

Proxy blind signature is an important type of proxy signature, it plays an 
important role in the following scenario: In e-cash system, the user makes the 
bank blindly sign a coin using blind signature schemes. Whenever a user goes 
through a valid branch to withdraw a coin, he/she needs the branch to make 
proxy blind signature on behalf of the signee bank. 

In the last couple of years, the bilinear pairings have found various appli- 
cations in cryptography, they can be used to realize some cryptographic prim- 
itives that were previously unknown or impractical. More precisely, they are 
basic tools for construction of ID-based cryptographic schemes (This concept 
of ID-based public key cryptosystem was first proposed by Shamir [12]), many 
ID-based cryptographic schemes have been proposed using them [1, 3, 5]. In 
this paper we address that it is easy to design proxy signature and proxy blind 
signature from ID-based signature schemes using bilinear pairings, and give 
some concrete schemes. 

The rest of the paper is organized as follows: Section 2 briefly explains 
some preliminaries. Section 3 gives a description of the general construction 
of various types of proxy signature from ID-based public key setting using 
bilinear pairing. In Section 4 and 5, some concrete proxy signature schemes 
are presented. Section 6 concludes this paper. 

2. Preliminaries 

2.1 Bilinear Pairings and BLS Signature Scheme 

Let G] be a cyclic additive group generated by P, whose order is a prime q, 
and Ga be a cyclic multiplicative group ofthe same order q. A bilinear pairing 
is a map e ; Gi x Gi Gj with the following properties: 

PI Bilinear: e{aP,bQ) =e{P,Qf*>\ 

P2 Non-degenerate: There exists P, Q £ Gi such that e{P, Q) 

P3 Computable: There is an efficient algorithm to compute e(P, Q) for all 

P,Q€Gi. 

Throughout this paper, we define the system parameters in all schemes are 
as follows; Let P be a generator of G] , the bilinear pairing is given by e : 
Gi X Gi — 1 Ga. Define two cryptographic hashfunctions Hi : {0, 1}* Zg 
and £fa • {0i 1}* G . 

Now we are ready to introduce Boneh et al.'s pairing-based short signature 
scheme proposed in [2], we denote BLS scheme. 

1 Key generation. Pick random I Zq, and compute Ppu 4 = a;P. The 
public key is Ppyti,. The secret key is x. 
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2 Sign. A message M 6 {0, 1}*, Pm = H 2 (M) €Gi,Sm = sPm- The 
signature of M is Sm- 

3 Ver. Check whether the following equation holds: 

e{SM,P) = e{H2{M),Pp^). 

This scheme is proven to be secure against existential forgery on adaptive 
chosen-message attacks (in the random oracle model) assuming the CDHP 
is hard [2], 

2.2 Proxy Signature and Proxy Blind Signature 

A proxy signature scheme consists of three entities: original signer, proxy 
signer and verifier. One assumes that each participant has received (via a PKI 
or a certificate) a public-secret key pair (Setup). When the original signer 
desires to delegate his/her signing ability to the proxy signer, they run a possibly 
interactive protocol: Generation of the proxy key. The proxy signer can use the 
proxy signature key to sign messages on behalf of the original signer (Proxy 
signature generation). Anyone can verify the validity of such signatures using 
a proxy Verification algorithm. 

Depending on whether the original signer can generate the same proxy sig- 
natures as the proxy signers do, there are two kinds ofproxy signature schemes: 
(1) Proxy-unprotected ; (2) Proxy-protected. 

The Generation of the proxy key in proxy signature is a delegation procedure. 
There are three types of delegation in Mambo et al.’s paper: full delegation, 
partial delegation and delegation by warrant. In [6], S. Kim et al. gave a 
new type of delegation called partial delegation with warrant, which can be 
considered as the combination of partial delegation and delegation by warrant. 

Lee et al. [7] defined properties that a strong proxy signature scheme should 
provide: Distinguishahility, Verifiability, Strong non-forgeahility. Strong iden- 
tifiahility. Strong non-deniahility and Prevention of misuse. 

Proxy blind signature is considered be the combination of proxy signature 
and blind signature, so, beside above security requirements ofproxy signature, 
it should satisfy the additional requirements: Blindness, i.e., the signer does not 
know the content of the message. In general, a proxy blind signature scheme 
consists of four participants: an original signer, a proxy signer, a user and a 
verifier, and the following five algorithms, Setup, Generation of the proxy key. 
Proxy blind .signature generation, and Verification. 

2.3 General Process of ID-based Signature Scheme from 
Pairing 

ID-based public key setting involves a KGC (Key Generator Center) and 
users. The basic operations consists of Setup and Private Key Extraction 
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(simply Extract). When we use bilinear pairings to construct ID-based signa- 
ture scheme, the general process will be as follows: 

■ Setup: KGC chooses a random number s & and sets Pp„4 = sP. 
The center publishes system parameters params = {Gi , G3 , G,Q,P, 
Ppub>Hi,H2), and keeps s as the master-key, which is known only by 
itself. 

■ Extract: A user submits his/her identity information ID to KGC. KGC 
computes the user’s public key asQ/y = H2(ID), and returns S[p = 
sQ[D to the user as his/her private key. 

■ Signing: is a probabilistic polynomial time (PPT) algorithm that takes 
params, a private key Sjp, and a message m. The algorithm outputs a 
signature a(m) for m. 

■ Verification: is aPPT algorithm that takes(poram5, /Z),m,(T(m)) and 
outputs either accept or reject. 

We address that ID-based signature scheme with a trusted KGC can be re- 
garded as a proxy-unprotected proxy signature scheme with multiple proxies. 
This is obviously: we take the KGC as the original signer, user as the proxy 
signer. Extract can be considered the Generation of the proxy key, this is the 
delegation. 

3. The General Construction 

About the delegation function ofpairing based cryptosystems, Boneh et. al 
[ 1 ] and Chen et. ul [ 4 ] had noted it. If using their delegation to construct 
proxy signature schemes directly, they are proxy-unprotected proxy signature 
schemes. To obtain the proxy-protected delegation, we will require the user to 
make a signature on the same message using BLS short signature. Assume that 
there are two participants, one called original signer with public key PA^and 
secret key another called proxy signer with public key PKp and secret key 
8 p, they have the common system parameters: {Gi , G2 , e, q, P, , H2). We 
describe the delegation in detail as follows: 

■ The original signer makes a warrant w. There is an explicit description 
ofthe delegation relation in the warrant w. 

• The original signer computes So^ = SoH2{'w), and sends w and So^ to 
proxy signer. 

■ The proxy signer checks ife( 50 i«,P) = e(H2{vt), PKo), if it is right, 
then computes = Soy, + SpH2(w). 
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In fact this is the partial delegation with warrant [6]. So, it is can be regarded 
as the Generation of the proxy key in proxy signature. The proxy secret key 
is Sxa, and the proxy public key is P ffo + PKp . Then the proxy signer can uses 
any ID-based signature schemes and ID-based blind signature schemes from 
pairings (takes the ID public key as secret key as 5^, the public 

key of KGC as PKo + Pf^p) to get proxy signature and proxy blind signature 
schemes. 

Anyone cannot forge an S^' of a warrant u/, since the original signer and 
proxy signer all use BLS short signature scheme to sign warrant, and BLS short 
signature scheme is proven to be secure. Like the discussion in [8], above del- 
egation need not the secure channel for the delivery of the signed warrant by 
the original signer, (.e., the original signer can publish u;and5qu. More pre- 
cisely, any adversary can get the original signer’s signature on warrant itf. Even 
this, the adversary cannot get the Sw of the proxy signer, because 5iu satisfies 
e{Sw,P) = e{H 2 {tv),PKo + PKp), and e(Sopj,P) = e(H 2 (w),PKo), so, 
— Sou,, P) = e(^ 2 (^)i PKp). This means if the adversary can get the 
Sw of the proxy signer, then he can forge the BLS signature of the message w 
with the public key PKp ofproxy signer, this is impossible due to the security 
of BLS scheme. 

4. New Proxy Signature Schemes 

In this section, we give a new proxy signature scheme based on Hess’ [5] 
ID-based signature scheme. 

[Setup:] 

The system parameters params = {Gi,G 2 ,e,q,P,H\,H 2 ), theoriginal 
signer has public-secret key pair {PKg,So), the proxy signer has public-secret 
key pair (PKp,Sp). 

[Generation of the proxy key:] 

After the original signer and the proxy signer finish the process in Section 3, 
the proxy signer gets a proxy key Sw- 

[Proxy signature generation:] 

For any delegated message m,the proxy signer uses Hess’s ID-based signa- 
ture scheme [5] (takes the signing key as 5u) ^d obtains a signature (t^, Up) 
as follows: 

fp = e(P,P)*p,fcp en Z‘, Cp = Hi(m||)-p), Up = CpS^ + kpP 

The valid proxy signature will be the tuple < m, (p. Up, xv > . 

[Verification:] 

A verifier can accept this proxy signature if and only if 

Cp = Hi{rn\\e{Up,P)e[H2[w),PKg + PKp)'‘^^). 
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The verification ofthe signature isjustified by the following equations: 

e{Up, P)(e(if 2 (tK). PK. + PK,))-<^^ 

= e[cpSui + kpP, P){e(H2{w), PKp + PKp))~'^'" 

= e(cp(5o^ 4- P)<>^pP, P){e{H2{w), PK^ + PKp))-^’' 

= [e{H 2 {w),PKo + PKp)f’’e{kpP,P){e{H 2 {v}),PKo + PKp))-^^ 

= e(P,P)'‘^=vp 
So, we have: 

Cp = H,(m||rp) = Hi{m\\e(Up.P)e(H2{w),PK^+PKp)-^’‘). 

Due to using thewarrant lU, it is obvious that our new proxy signature scheme 
satisfies the requirements stated in Section 2.2. but strong non-forgeability. 
On the other hand, we use Hess's ID-based signature scheme to generate the 
proxy signature, and it is proven to be secure under the hardness assumption of 
CDHP and the random oracle model, so the new proxy signature is unforgeable. 

Recently, many ID-based signature schemes have been proposed using the 
bilinear pairings [3, 5, 10, 1 1], Like above construction of Hess version, it is 
easy to construct other proxy signature schemes based on Paterson scheme [10], 
Cha-Cheon scheme [3] and Sakai-Ohgishi-Kasahara scheme [11]. 

5. New Proxy Blind Signature Schemes 

The proxy blind signature satisfies the security properties of both the blind 
signature and the proxy signature, such signature is suitable for many applica- 
tions where the users’ privacy and proxy signature are required. From the ID- 
based blind signature scheme, we can construct proxy blind signature scheme. 
The first ID-based blind signature scheme was proposed by Zhang and Kim 
[14] in Asiacrypt2002. Recently, they gave another ID-based blind signature 
scheme [15]. Now, we give a new proxy blind signature scheme based on this 
ID-based blind signature scheme. 

[Setup:] 

The system parameters params = (Gi ,G 2 ,t,q,P,H\,H 2 ), the original 
signer has public-secret key pair (PKo, So), the proxy signer has public-secret 
key pair {PKp,Sp). 

[Generation ofthe proxy key:] 

After the original signer and the proxy signer finish the process in Section 3, 
the proxy signer gets a proxy key Sw- 

[Proxy blind signature generation:] 

Suppose that m is the message to be signed. 

■ The proxy signer randomly chooses anumber r Z^, computes U = 
rHi (lu), and sends U and the warrant vj to the user. 
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■ (Blinding) The user randomly chooses a, 0 as blinding factors. 

He/She computes U' - all + ot^H 2 (w) and h = + 0, 

sends h to the signer. 

■ (Signing) The signer sends back V, where K = (r + h)Sw- 

■ (Unblinding) The user computes V = aV. He/She outputs V'}. 

Then {V, V, ty) is the proxy blind signature ofthe messagem. 
[Verification:] 

A verifier can accept this proxy blind signature if and only if 

e{V',P) = e{U' + Hi(mllU')H 2 (u-),PKo +PKp), 

Like the discussion in [15], our new proxy blind signature scheme can provide 
the batch verification. This is very important when the number ofverifications is 
considerably large {e.g., when a branch bank issues a large number of electronic 
coins and the customer wishes to verify the correctness ofthe coins). Assuming 
that ([/j, Vj), (f/j, V 2 ),- • • are proxy blind signatures on messages 

tri 2 i • • ■ 1 which issued by the proxy signer with the public key PKp 
and the same warrant w form the original signer. The batch verification is then 
to test if the following equation holds: 

n n n 

e(£vi,P)=e('£ui+iY,Hi{mi,Ui))H2iw),PKo+PKp). 

»=1 i=l »=l 



The correctness of the verification is easy to check. A warrant made by 
the original signer is included in a valid proxy blind signature, so, the proxy 
blind signature is distinguishable, verifiable, identifiable and non-deniable. The 
blindness and the non-forgeability of this new proxy blind signature are similar 
to the discussion of [15]. 

6. Conclusion 

Various type proxy signatures are important in many applications, such as 
secure e-commerce. Due to the various applications of the bilinear pairings 
in cryptography, there are many ID-based cryptographic schemes have been 
proposed. In this paper, we first have shown how we can obtain the proxy- 
protected delegation using the short signature scheme of Boneh, Lynn and 
Shacham. Using this delegation, it is easy to design the proxy signature and 
proxy blind signature from the conventional ID-based signature schemes using 
bilinear pairings, we have given some concrete schemes based on existed ID- 
based signature schemes. 
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Abstract Both the Schnorr digital signature scheme and the Okamoto digital scheme are 
important digital signature schemes, they are constructed based on the discrete 
logarithm problems. On the bases of these two digital signature schemes, two 
new digital signature schemes are constructed in this paper. For the second digital 
signature scheme, its blind digital signature scheme is given also. 

Keywords: digital signature, discrete logarithms problem 

1. Introduction 

Both the Schnorr digital signature scheme [1] and the Okamoto digital 
scheme [2] are important digital signature schemes, they are constructed based 
on the discrete logarithm problems. The Schnorr digital signature scheme and 
the Okamoto digital signature scheme and their blind digital signature scheme 
have found wide use. On the bases of these two digital signature schemes, 
based on the discrete logarithm problem, two new digital signature schemes 
are constructed in this paper. For the second digital signature scheme, its blind 
digital signature scheme is given also. 



• This work was supported by NSFC under grant #90104005 and #60273049 




68 



Constructions of schemes 
Protocol One 



PROGRESS ON CRYPTOGRAPHY 



2 . 

2.1 



Supposep, ^ are prime, ^|p — 1, ^ is about 140 bits, p is at least 512 bits, 
, p 2 random numbers with the same length of q. Let H (x) be a collision- 
resistant one-way hash function that maps {0,1}* to Zq. ^ the signer’s 

secret keys, both of them are random numbers which are less than q. y = 
mod pis the signer’s public key. The signing process is as follows: 

(1) The signer Alice selects two random numbers , fcj which are less than 

(2) Alice computers 



f = tnodpj mod g 

Si = (H (m) -I- xir)) mod 9 
■S2 = (^2 ' {/f (ni) -I- X2f)) mod 9 



{r,Si,a2) ^ signatures of the signer Alice. She sends them to the recipient 
Bob. 

(3) Bob verify the signature by computing: 



Wi ~ sJ"'modq, tU2 = mod 9, 

u} — (fl'(m) X wi) mod g, uf = (// (m) x u;2) mod g, 

Uj = (rtt;i)mod9, U2 ~ mod g, 
f = ((si' 'Pa' ■ 'J/a') modp) modg, 

where yi = fff mod p, J/2 — mod p, If w = r, then the signature is valid. 

(4) Verification of signature: 



((si‘ ■ ffa' ■ i/i' ■ ^2°) p) ? 

- \\9i '9i '92 

^ mod pj mod q 



ij r-fc}-(//(m)+i 3 r)' 



fci(//(m)+i]r)"‘-(//(m) + iir) 
9i 



- (0 

= ((si' ■ 9 ^) mod pj mod q 



fcj(//(»n)+xjr)' ‘ (//(m)-H 2 r) 

92 



^ iTiodp^ 



mod g 
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2.2 Protocol Two 

Suppose p, q are prime, p — 1, ^ is about 140 bits, p is at least 5 12 bits, 
9]>92i93 ^ random numbers with the same length of g. Let H{x) be a 
collision-resistant one-way hash function that maps (0, l)*to2g. 5i,a2i53 
are the signer’s secret keys, all of them are random numbers which are less than 
q. V = modpis the signer’s public key. Given message M, the 

signing process is as follows: 

(1) The signer Alice selects three random numbers rj, which are less 
than q: 

(2) Alice computers 

e = mod p,M), 

y, = (r, +esi) modq, 

V 2 = {^2 + esa) mod q, 

S/3 = (^3 + esa) mod q, 

(e, s/i, j/2, s/a) are signature of the signer Alice to the message M. She sends 
them to the recipient Bob. 

(3) Bob verify the signature : 

Ver (M, e, 3/1, s/2 > 1/3) is true if and only if 

mod p,iw) = e 

Verification of signature: 

(gf'gfgf-v^) modp 

= {9? ■ g?^ *** ■ ^*93'*’)') mod p 

= {9[*92“S?) modp 

2.3 Blind Protocol of the Protocol Two 

For the second protocol, we are able to construct its blind digital signature 
scheme. Suppose p, q are prime, q\p — 1, ^ is about 140 bits, p is at least 512 
bits, 3i, j2i93 random numbers with the same length of^. Let H{x) be a 
collision-resistant one-way hash function that maps (0, l}*toZg. Si,S2,53 are 
the signer’s secret keys, all of them are random numbers which are less than q. 
V = 9^*' 92^^93*^ modp is the signer’s public key. Given message M, the 
signing process is as follows: 

Let signer be E, verifier be V, then the protocol can be shown as following 
Fig. 1. 

To show that the protocol is blind it suffices to show that for every possible 
view of the signer and for every possible signature there exists exactly one 
suitable quadruple ofblinding factors (cn, aa.os./S). Given a view consisting 
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V 

(A/, 91 , gj,p 3 ,«) 




E 

{ffl.gj>ff3,«l.«2,a3) 




t' 


fi,r2,r3 €fl Zl 
t' ■= modp 


01,02,03, ,9 C« 

t := t'sf'gf’gj’ • ^ modp 
e ;= H(«,A/) 
e' := e — ^ (modg) 


t' 




Vi := Vi +01 (modg) 
Vi -= Vi + aj (modg) 
V3 :=t/i + 03(mod9) 


pl.vi.Va 


y'i = ri + e'ai (modq) 
Vi — r 2 + e'si (modq) 
Vs = T 3 + e's 3 (modq) 


e = //(gi’grar*'* mod p.M) 

If true, getting a blind signature of M : 
(«>tfi.Va.Vs) 



Fig I. Blind Signature Protocol Based on the Protocol TVo 



of ri,r2,r3,t',e',y',,j/2.3/3 and a signature (e,yi,j)2. 2/3) on a message M, the 
only possibility is 



: = I/I - y'l (modg) 
0:2: = J /2 - yaCmodg) 
03: = y^-y'z (modg) 
/3 ; — e - e' (mod?) 



With these blinding factors, the verifier V would have computed 

t-. = 

e: = H{t,M) 
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It remains to show that t = sf' 52*33’ w*: 

t = t’gV9T9T-y^ 

= 9?9?9?sT9T9T'^^ 

= 9f9lW^^-v^-9r^'9TSr'''^-v~^ 



9f9f9f-v^-9V'‘'9V’‘^9f^^ 

9f9f9f'V^ 






Thus, e = H ( 51 ^ 52 * 5 ^ ' P< ^^the blinding factors (01,02,03, 

0 ) would in fact have resulted in the valid signature. 



3. Conclusion 

On the bases of Schnorr signature scheme and Okamoto signature scheme, 
we have suggested two digital signature schemes based on the discrete logarithm 
problems. For the second scheme, we have given its blind signature scheme 
also. We believe that these schemes will be widely used in the real world. 
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Abstract Since the concept ofblind signature was first introduced by Chaura, there are 
many applications ofblind signatures. Especially, blind signatures have been 
applied widely in anonymous E-Cash systems. The most used blind signatures 
in E-Cash systems are based on discrete logarithm problem (DLP in short). 

This paper investigates the method to construct DLP-based blind signatures 
and tries to generalize how can these blind signatures be utilized to build double- 
spending resistant anonymous E-Cash systems. 

Keywords: blind signamre, discrete logarithm problem, electronic cash system 

1. Introduction 

Blind signature was first introduced by Chaum in 1982 [8]. Blind signatures 
allow a recipient to have a signer signed a message m without revealing any 
information about the message to the signer. This feature can be utilized to 
provide anonymity for many applications, i.g. electronic cash(E-Cash) systems 
and electronic voting systems etc. Most of the presented E-Cash systems rely 
on blind signature for providing anonymity. 

The first blind signature was based on RSA system (factoring problem) [8]. 
It is well known that electronic coins are bit strings which are vulnerable to 
be copied and spent more than once (double-spending problem). To avoid 
double-spending problem, Chaum’s system was on-line. The bank prevents 
double-spending by on-line checking whether the coin has been spent or not. 
Obviously, on-line searching a database(the database may be very large to an 
unacceptable extent) to make the system double-spending resistant is very im- 
practical. Chaum proposed an off-line E-Cash system still using RSA blind 
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signature based on factoring problem in [9]. The system is able of reveal- 
ing the identity of the owner of the double spent coins “after the fact". But 
the system is still quite inefficient for using cut-and-choose technique. Later, 
more efficient DLP-based blind signatures were presented and consequently, 
more efficient E-Cash systems based on these blind signatures were designed 
[11, 10, 6, 7, 4, 18, 5, 3, 19, 9]. Among these systems, the most significant 
concept is the restrictive blind signature proposed by Brand [3]. This concept 
has been playing a very important role in the area of E-Cash for the last decade. 
Numerous systems are derived from or based on the restrictive blind siganture. 

In this paper, we illustrate with some examples to show how to construct DLP- 
based blind signatures and generalize the use of blind signatures in anonymity 
revocable E-Cash systems. We conclude that knowing the process of construct- 
ing DLP-based blind signatures and the principle oftheir use in E-Cash systems 
is valuable for designing new efficient E-Cash systems or new blind signatures 
and group signatures. 

The rest of this paper is structured as follows. Section 2 illustrates how to 
construct DLP-based blind signatures with some concrete examples. Section 3 
lists the blinding equations used in some DLP-based blind sigantures. Section 
4 simply describes some models for applying blind signatures in the area of 
E-Cash. We conclude this paper in the last section. 

2. How to construct DLP>based blind signatures 

The first DLP-based blind signatures applied into E-cash systems can be 
found in [9, 3]. In the context of a blind signature, blindness is a very impor- 
tant aspect. We give the definition of bhndness of a bind signature [5] as follows. 

Def.l. If the signer’s view of a signature execution and the signature results 
on message, are statistically independent, the signature .scheme is called blind. 

We note that blindness of a blind signature indicates that the signature- 
message pairs are unlinkable. In other words, even knowing A valid signature- 
message pairs, no one except the signer can consturct the (N + l)th valid 
signature-message pair. Therefore, the E-Cash systems built on blind signa- 
tures are also unlinkable as the bank notes or coins we use in our real life (we 
can not decide whether two diffenent paper currencies or coins come from the 
same customer or not). 

Normally, in an DLP-based signature or authentication scheme, to prove the 
knowledge of a secret but not revealing any information about it, a signer or 
a prover has to compute the ordinate of a point of a line. The intercept and 
the abscissa of the One are chosen at random by a signature acquirer or/and 
by the signer. The slope of the line is the secret (a discrete logarithm w.r.t a 
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base g) which is known only to the prover or signer. With the public key of 
the signer, any recipients can verify the signature to make sure that the signer 
knows the secret. Under DLP assumption, no one can derive information about 
the secret from the signatures no matter how many times the signature prototocl 
or authentication protocol has been executed. This is a zero knowledge proof 
precess. To construct blind signatures based on DLP, the signer’s view of the 
protocol must be randomized to obtain the blindness of a blind signature. 

Proposition 1. The DLP-based blind signatures can be constructed by ran- 
domizing any coefficients of the line (except the slope of the line, i.e. the secret) 
which can he viewed by the signer during the normal knowledge proofpro- 
cess. Afterwards, the rest of coefficients of the line can he deduced under some 
equalities satisfying the normal signature process. Which coefficent should he 
.selected to he randomized can he decided according to feasihility or efficiency. 

Almost all this kind of blind signatures [9, 3, 5, 19, 7, 22] can be built up in 
this way. We illustrate the process of constructing the sort of blind signatures 
with two examples given separately in [3] and [5]. 

Stefan Brand’s restrictive blind signature Restrictive blind signature was 
first introduced by Brand [3] and is very suitable for designing double-spending 
resistant or fair off-line E-Cash systems. To some extent, it is a basic model for 
constructing practical E-Cash systems and plays important role in the area of 
E-Cash. We investigate the process of constructing such a blind signature. We 
follow the denotations defined in Brand’s scheme. 

system parameters 

User; ui Eji Zg, 1 = p“‘ is related to and stored together with the user’s 
identifying information at the bank. 

Bank: computes z = (/g2)* sends it to the user 

Normal signing process 

The normal process ofBrand’s signature scheme is shown in figure 1. 

Blinding process 

Now we explain how to construct the blind signature on (/gj)* instead of 
/g 2 as in the normal signing process. 



■ First, according to the definition of the blindness in Def.l, there should 
be a new signature tuple ,z',a' ,b') on the blinded message (/gs)^. 

The two tuples, (r,c,z,a,6) and {t' , d ,z' , a' ,b') should be completely 
independent and satisfy the verification equations / = h®o, (Ig 2 Y — 
z®i», and g’’' = /i®' o', (I92Y = separately. (r,c, z, a, b) is the 
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User 

a = 6 = (/9,r 


Signer 
• Sciccu w in Zf 


•Computes c = H(/p 2 > 2 ,o, 6 ) 

c 




r = Cl + u> 




- Venlies 

g' = and (/jj)' = *'6 

-The sijinature mull is (r, z,c, a, 6 ) 





Figure I. Normal signing process 



signer's view during the signing process and (/, c', z', a', b') is the final 
blind signature result which will be not known to the signer. 

■ To blind the signing process, r can be first randomized according to 
the proposition 1 by setting = ru + ti as in Brand's scheme [3] or 
r' = (r + ti)v as in Chaum’s scheme [9], where integers u, t) are chosen 
at random. Obviously, r and r* are independent because ofrandom chosen 
«,v. 

■ The rest of the tupe (T^,c',z',a',b') can be dedueced now as follows, 

(r, c, 2 , a, 6) is the tuple seen by the signer satisfying / = h'^a, (Ig 2 Y = 
z‘^b and r = car + u; where x is the secret known only to the signer. 
From the fact that ^ to satisfy the equality = 

a', the following equalities must hold: d = cu, a' — 

aV- 

Similarly, z', b' can be deduced in the same way: to satisfy the equality 

{I92Y"' = z' = 2 * 

(from above, we already know that d = cu), and b' ~ ((/sa)*”)*** 
= b^'^A” must hold. The blind signature then has been con- 
structed. 

Another example J.Camenisch presented two DLP-based blind signatures 
in {5]. One of them is based on a modification ofDSA. Another one is derived 
from Nybeg-Rueppel scheme [16]. We describe the blinding process of the 
later bhnd signature as another example to show how can we obtain this sort of 
blind signatures. 

system parameters The system parameters are as follows. A prime p and 
p — l has a large prime factor q. An element g € of order q. The system's 
private key is a; £ Zg, the corresponding public key is y = g* mod p. To sign 
a message m € Zp, a signer selects A £ at random and computes c, s as 
follows. 
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■ c = mp* mod p 
m 3 = XC + k mod p 

The pair (c, a) is the signature on the message m. Any recipients can check the 
equality m = g~‘y'^c mod p to verify the signature. 

Blinding process To obtain the blind signature (d, s') satisfying the equality 
m = mod p, where (o', s') and (c, s) should be independent, s can 

be randomized with the line s' = so + jfl, o, /3 € Zq' are randomly selected 
integers, swillbe computed by the signerwithform ofs = rjx + /c. fcis chosen 
by the signer at random. Substituting s' = so + in the g“* d mod p, 
to satisfy the equality g-^'y'^d = 

m mod p, d must equal to and rj = dos~^. Then, we have obtained 

the blind signature as described in [5]. 

3. Generalize some DLP>based blinding processes 

In this section, we list some blinding processes from different blind signatures 
in the following table. 



Table I. Some examples ofblinding processes in the differeni DLP-based blind signatures 



Scheme 


Blinding factors 


Blinding equation 


Schnorr-T.Oksmolo [19] 


u 


y‘ = y + u, « = e' + d 


T.Okamoto(l9] 


til , Uj 


Vi ’ = Pi + ui , vj' = vj + uj , e = e* -t- <1 


D.Chaum [9] 


U , V 


r = (ro -t- v)ii 


S.Brands [3] 


11, V 


r' s ru + V 


J.Camenisch ' [5] 


Q , B 


R = ^p^(aciually blind ife by afc -t- B) 


J.Camenisch ’ [5] 




$ = sB + a 


P.Hors(er[l2] 


a , 6 


ak + b 


H.G-Zhang[22] 


a , b 


S' = S + aPpti, , c = d + b 



From the table, we can clearly see that, as we pointed out in proposition 1, 
the general way to construct a DLP-based blind signature is to blind one ofthe 
random integers which can be seen by the signer during the signature process. 

Blind signatures can protect the privacy of users. But on the other hand 
the feature of unconditional anonymity can also be misused by criminals for 
blackmailing or money laundering. In recent years, as the progress on E-Cash 
systems proceeds, new types of DLP-based blind signatures, for instance fair 
blind signature [4, 18], partially blind signature [2], partially restrictive blind 
signatures [14] etc., have been presented and discussed widely in the area of E- 
Cash systems. Revocable anonymity as well as exact payment can be achieved 
with these new types of blind signatures. Most of them, especially DLP-based 
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systems, can be built with the same measure described above or with slight 
variations. 

4. The application of blind signatures in E*Cash 

In the progress of E-Cash systems, there are four basic models for the appli- 
cation ofblind signatures. 

Model I: Normal blind signature Under this simplest model, a bank signs 
blindly on the coins and checks the coins on-line to prevent multi-spending. 

Model II : Restrictive blind signature Brand's restrictive blind signature 
plays a significant role in developing off-line E-Cash systems. In previous 
off-line systems which providing anonymity, double-spending resistance, most 
of them utilize the property of the restrictive blind signature system more or 
less [3, 18, 4, 7, 6, 10]. Under this model, the principle of utilizing the re- 
strictive blind signature to build E-Cash systems is that a user's identity will 
be embedded into “inside” construction of a restrictive blind signature which 
will not be known to the bank. When spending the coin at a merchant, the user 
proves to the merchant her knowledge on the “inside" construction using the 
zero knowledge proof. When double spending the coin, two points of a line 
in the zero knowledge proof will be exposed, and the coefficients of the line 
can then be computed and used to reveal the “inside” construction of message. 
Consequently, knowing the “inside” construction results in revealing the the 
identity information ofthe user. This kind of system is still anonymous for the 
bank blindly signing the “outside” construction of the message. This concept 
can be further extended to built up group signature and group signature based 
E-Cash systems [20, 15,21, 17]. 

Model III : Fair blind signature Although fair blind signature itself is a 
new concept introduced in [18, 4], it can be easily obtained from restrictive 
blind signature or other blind signatures and can be further used to construct 
fair off-line E-Cash systems. Fair E-Cash systems can offer a compromise be- 
tween the need ofthe privacy protection ofusers and effectively preventing the 
misuse by criminals. The trick in fair blind signatures is that a third partyfmay 
be more than one), or called trustee, is involved in the systems. In early systems 
[4, 7], trustees view all or parts ofthe blinding process so that the trustees can 
revoke the anonymity provided by the blind signature. But the trustees has to 
be involved in each withdrawal or opening account protocol. The efficiency is 
low. In later systems [6, 10], the trustees have a public -private key pair so that 
there is no need for the trustees to be on-line or invovled in any protocols except 
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tracing protocol. 

Model IV : Partially fair blind signature More recendy, a signature called 
restrictive partially blind signature is proposed by Maitland [14], Partially blind 
signatures were introduced by Masayuki Abe [2]. A partially blind signature 
scheme allows a signer to produce a blind signature on a message while some 
common agreed information(i.e. expiry date, denominational information) re- 
mains visible despite the blinding process. There is no need to use different 
signing keys for different denominations. We point out here that it is possible to 
construct anonymity revocable off-line E-Cash which can make exact payment 
while keep double-spending resistant with restrictive blind partially signature 
[14, 1, 13], Exact payment can also imply that there is no need to design divis- 
ible E-Cash systems in which complicated cryptographic technologies have to 
be used resulting in low inefficiency and impractical systems for smaU amount 
fund transfer. 

For the space limitation, we didn't illustrate the application of different blind 
signatures in E-Cash systems with concrete examples. How to construct fair or 
partially blind signatures will be discussed in the full version of this paper. 

5. Conclusion 

In this paper, we generaized the process ofconstucting a DLP-based blind 
signature. Knowing this process, we can convert most of DLP-based digital 
signature into blind version. Meanwhile, we roughtly described how to utilize 
different blind signatures to design different E-Cash systems. 
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Abstract Reference[9] proposed a threshold group-signature scheme in order to solve the 
problem so called "threshold group-signature scheme with privilege subsets” 
suggested by Feng Dengguo. We firstly show there exist some insufficiencies 
and potential hazard in the scheme mentioned above. Secondly, Using the idea 
of constructing group-signature schemes by individual signature schemes, we 
put forward a group of the ones with four variants of ElQamal type, having 
many attractive properties such as shorter length of signature, message recovery, 
authentication and so on. Finally, the security of our schemes is proved in the 
standard model. 

Keywords: threshold group-signature scheme; secret sharing scheme; ElGamal cryptosys- 

tem; message recovery; provable security 

1. Introduction 

The central task of cryptography is privacy and authentication insured and 
signature is one of the most important mechanism providing authentication. 
The common signature schemes, such as RSA[1], ElGamal[2], are realized by 
one signer using his private key, and called “individual signature”. However, in 
many applications, the responsibihty of signing is requested to be shared. So, it 
is natural to introduce the concepts of threshold group-signature: Verifying the 
validness of signature needs the group public key and anonymity is also asked 
for. In 1991, Desmedt and Frankel firstly proposed a threshold group-signature 
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scheme based on RSA[3], after that many similar schemes are put forward, such 
as [4, 5, 6, 7], 

One potential problem ofschemes mentioned above is that the responsibility 
of each member is same, but the practical cases are not always as this. In 2000, 
Feng Dengguo suggested a problem of threshold group-signature with privilege 
subsets [8] : group G made of n members, has m disjoint subsets, each consisting 
of m(i = 1, 2, members. Only when at least tj members in each subset 
accept and total number of participants of G t at least, can the group signature 
be generated. In addition, anonymity and tracing the respective signers in case 
of authorized are required too. 

[8]gives a threshold group-signature scheme satisfying the need above and 
by far there are not other similar schemes proposed. Of course, some threshold 
key management protocols borrowing the idea mentioned above, but most are 
not secure. 

We firstly show that the scheme proposed by [8] has many disadvantages. 
Furthermore, there are some potential hazards on security. Using the idea of 
constructing group signature schemes by individual signature ones[4], we put 
forward a group of schemes of EIGamal type, having many attractive properties, 
such as shorter length ofsignature, not requiring the assistance oftrusted party, 
simpler reahzation, authentication (i.e., SC may verifies the pieces submitted by 
respective members.) and so on. Consisting offour variants, two of them have 
the property of message recovery, i.e. the message can be recovered from the 
respective signature, which convenience the application greatly, for example, 
economical use of bandwidth. We also give the security proof of our schemes. 

2. Analysis on threshold scheme [8] 

[8] proposed a threshold group-signature scheme with privilege subsets based 
on DLP(Discrete Logarithm Problem), called (tj, t, n)-threshold scheme. 

The basic frame of the scheme is as follows. 

1) Initialization IDC(trusted identity distribution center) and every member 
generate identities together and the former also produces the needed parameters. 
After 12 mutual steps, user i(=l,2,...,n) gets 

{tdj, two parameters /or signing}, 

and DC(DigitalSignature Combination Center) gains polynomial 

Fjix] = fj ~ 9 

i€Gj 

2) Signing Each member and DC carry out mutual subprotocol of 12 steps. 

Then DC determines the validity of the identity of each member using respective 
polynomial Satisfying the need of “privilege threshold", DC broadcasts 
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the group signature parameter {j,9j{x),Bj), where 9j(j;)|Fj(3:), i.e., is dis- 
criminant of identity of signers. Finally, DC collects all individual signatures 
and produces group signature {ID, S,g{x),Rj,Bj\j = 1,2, where, 

m 

9(2:) = fl5>W mod? 

j=l 

Obviously, p(a;) suggests the identities of participants ofG. 

3) Verifying omitted. 

Analysis as follows. Firstly, protocols involved in is very complicated, es- 
pecially the longer length of signature. In fact, the length of the signature is not 
smaUer than (m -I- l)[log 2 p] -b (m -t- ( -I- l)[log 2 ?], where, ?|(p - 1), ?,pare 
both secure primes and m is the number of privilege subsets. 

Furthermore, the scheme above has potential hazard on security. [8] shows, 
according to the need of anonymity, the identities of member keep secret, i.e., 
it should be very difficult to factorize the polynomial But, in fact there 

is efficient algorithm[ll], such as Berleknmp, etc., for the factorization of 
polynomial in some finite field, even if the characteristic of field is larger. 

3. (ti,ni; fmi n)-threshoId group>signature 

3.1 Basic idea 

For the sake of simplicity, we assume group G has only one privilege subset 
Gi. Our construction of schemes adopts the idea of [4]: Based on mature 
individual signature schemes, for instance, schemes of EIGamal type, construct 
threshold group-signature scheme using Secret Sharing Scheme(SSS, such as 
Shamir’s scheme[12]). Compared with [4], we unite the “privilege threshold 
conditions" with SSS, i.e.. Adopting “double secret sharing(double SSS)’’ idea, 
the scheme with four variants based on DLP is constructed. Similarly, it may 
not need the assistance of KAC. 

3.2 Initiation 

The agencies involved in as follows. 

KAC: Trusted key authentication center, responsible for issuing key. 

SC: Signature clerk. 

G: party consisting ofn members. 

Gi: Privilege subset. 

KAC Operates as follows. 

1) Selects two “secure" primes p,q, where, ?|(p — 1), 

2) Selects two polynomials/{a:), 5 (a:) randomly and secredy, whose orders 
are (t — 1) and (tj — 1) respecdvely. 

3) Chooses a as primitive element of finite field Zq. 
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Parameters set including (p,q, a) and Xi,yy Gn Z^{x],(i = 1, 2, j = 
1,2, ni), is public. 

3.3 Generation of group key and secret pieces 

We adopt the Shamir’s secret sharing scheme[ll], called SSS. Group secret 
key is produced by KAC, i.e., (/(O) + g(0)) mod q and group public key is 
3 = q/(o)+s(o) modp. 

Distribution of secret pieces: Being common member, i gains piece /(aj), 
and Zj = mod p. Otherwise, i.e., being a privilege member, i€ 

Gi obtains pieces 4- tnod p, where, Aj,p,- are SSS’public 

computable parameters [1 1] used to recover group secret key and is namely 
the respective j/j introduced in section 3.2. KAC publish all zj, 

3.4 Generation of threshold group-signature 

We might as well assume there are exactly t members taking part in, named 
Suppose m is the message to be signed. 

1) Generation and verification of individuai signature For any i € 
{l,2,...,t), i firstly selects ki^ secretly, and then computes rj = a*' 
mod p, broadcasting to all members. So each member can compute 

t 

r = PJ fj mod p 
i=l 

common member*, continues to compute Si = (/(ij)Aih(m) — kiv) mod q. 
And for privilege member*, he computessj = (/(Xi)AiA(m)+y(yij)pi/»(m)- 
kif) mod q, where, h { ) is some hash function. Finally, Si is sent to SC. 

SC can verify the validity of st. In fact, for any member i, the verification 
equation of SC is given as If the equation holds true, Sj has 

been verified. 

2) Combination of signature If SC accepts all the individual signatures, it 
computes s = (si + ... -I- Sj) mod q and outputs (r, s) as the group signature. 

3.5 Verification and Traceability 

Verification equation is given as: a*r’’ = Obviously, if satisfies the 

need for privilege threshold condition, we have results as follows according to 
SSS[12) 

I h I 

3 = h{m)(^f(xi)Xi + ^g{yij}pi) -r'^ki 

»=i t=i 1=1 

t 

= h{m){f{0) + 5(0)) - r fcj 
i=l 
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In view of r = His:! verification equation mentioned above holds true. 
Otherwise, i.e., not satisfying those conditions, it is impossible to recover group 
secret key /(O) + g(0) on the assumption that DLP is difficult to solve. When- 
ever any accredited agency want to investigate the identities of all member 
referring their individual signatures, the tracing procedure with assistance of 
SC is obvious. 

3.6 Threshold group-signature scheme with several 
privilege subsets 

Generic threshold group-signature problem is given in section 1. We just 
as well call such schemes t, n)-schemes, where, m is the 

number of privilege subsets and not smaller than 1. 

(<l,ni;t,n)-schemes can be easily extended to (ti.ni; ...; t„,, rtmi 
schemes. In fact, we may select m + 1 polynomials, /(a:),pi{ 3 /i), 
and group secret key is fft(0)+/(0)) mod q, where any common mem- 

ber only obtain some piece /(li)and any privilege member can gain knowledge 
of f(xi) and one respective gi(yij), i.e., \if{Xi) + liij9i{yij), detail omitted. 

3.7 Instance without the assistance of KAC 

Similarly with [4], our schemes can do without the assistance of KAC. As 
a matter of fact, we can realize the schemes in such way, which each member 
becomes KAC of himself, i.e., selecting his public and secret key pair (at,}/i) 
(EIGamal type) by himself. The group public key is y = 1^1= i Vi Every member 
can distribute their own secret key pieces to privilege members in “double SSS 
"way and to members without privilege in common way. Other details are the 
same as the former sections. 

4. Threshold group-signature schemes with message 
recovery 

In view of efficiency, signature scheme with message recovery is very at- 
tractive. In this section, we will give two (fi, ni; timi tiO)-threshold 
group-signature schemes with message recovery. For simplicity, it is illustrated 
with t,7l)-threshold schemes aU the same. 

4.1 Generic threshold schemes of EIGamal type 

Based on the discussion above, one may want to ask whether aU of individ- 
ual signatures of EIGamal type can be applied to construct threshold group- 
signature in such way. The answer is positive. 
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Firstly, the two individual signature schemes determined by 

{ r = Q* mod p 
s = xh(m) ± kr mod q 



(I) 



and 



{ r = a* mod p 
s = xr ± h(m) mod g 



( 2 ) 



Both of them can be used in the way above, where derivation of verification 
equation is omitted and concrete construction method similar with former sec- 
tions. In fact, (1) is just the individual schemes used in section 3. 

Noteworthily, [9, 12] proposed six variants of individual signature schemes 
with message recovery of EIGamal type. The two variants of them as follows 
can be used to construct our threshold group signature schemes with privilege 
subsets. 



and 



r = mod p 

s = -xr + k mod q 


(3) 


r = mod p 

a = —X + kr mod q 


(4) 



where, /i{ ) is redundancy function which is a reversible permutation(when 
replacing it with hash function, the two schemes are the same as common 
schemes, without message recovery. ) and the respective verification equations 
are fi(m) = rj/’’o:* mod p, i?{m) = ry'' ’q*’' ' mod p. 

In section 4.2. taking the first variants above for example, we propose new 
(fl, rii; <,n)-threshold schemes. 



4.2 Threshold schemes with message recovery 



Initialization and distribution of secret key pieces are similar with section 
3. We also assume there are exactly t members taking part in, named 1,2,. ..,t. 
Suppose mis the message to be signed. Procedure of signing is given as follows. 

1) Generation and verification of individual signature For any i £ 
(1, 2, t},tfirstly selects Zp secretly, and then computes rj = 
mod p, broadcasting to all members. Therefore every member can compute 
the result 



r = 



1 




mod p 



For common member i, he or she continues to compute^ = (“/(a^i)Air-l- Aj) 
mod q. And for privilege member i, he or she can compute Sj = (— /{lj)A,T 
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“ ^f) where, /i( ) is some hash function. Finally, Sj is 

sent to SC. 

For any member i, the verification equation of SC is given as: = 

i?(r7i). If the equation holds true, Sj has been verified. 

2) Combination of signature If SC accepts all the individual signatures, it 
computes a = (31 + ... + St) mod q and output (r, s) as the group signature. 

Obviously, the verification equation of group signature is: rcfz^ = R{m}. 

As section 3, we can also construct the (ti,ni; tmi tim! t, t^)-threshold 
schemes with message recovery, namedMR-(ti,fii; .... tmi ttmi t, n)-threshold 
schemes, which need not the assistance of KAC. 

5. Analysis 

We take the scheme of section 3 called (ti,m; t,n) -threshold schemes and 
the one of section 4 called -threshold schemes for examples. 

Because of restricted space, the proofs is omitted. 

Theorem 5.1. If each party involved in abides by rule of protocol, verification 
equations of the two schemes mentioned above, i.e., ofr’' ^ andra^z^ = 
R(m). hold true. 

By till appearances, only SC may identify the members taking part in signing. 
So, our schemes satisfy the anonymity and do not need special authentication 
algorithm of identity, which is different greatly from [8]. In addition, our 
schemes have another good property, i.e. even the coahtion of SC and some set 
of members ,which does not satisfy the threshold privilege condition, can not 
constnict a vahd signature because SC oneself can’t see the secret group key 
and the first component of signamre (i.e.,r)is produced by all members taking 
part in. 

Finally, we study whether the two schemes are secure against forgery. We 
adopt “provable security” methodology to solve the problem. In other words, 
Lengthy research results have made ones be convinced of security against 
forgery of the two individual signature schemes (1) and (3), which may be 
seen in [9, 12]. Therefore, we may base our analysis on the assumption that the 
individual signature schemes (1) and (3) are secure. Forthe sake of simplicity, 
we prescribe that adversary is a probabilistic polynomial time(PPT) algorithm, 
which can corrupt any member of group. 

We firsdy prove that adversary, which can corrupt (< — I) members ofG at 
most, see nothing from the interaction between she and honest members. 

We mark 5(m, fc) = (m, r, 3 ) denoting random variable dominated by indi- 
vidual signature scheme (1) and MS{m, k) = (m, r, a) by individual signature 
scheme with message recovery (3). Similarly, we may define random variables 
GS(m,ki,...yki) = , GMS{m,ki,...,ki) ~ (m,a,T) according 

to group signature scheme of section 3 and the one of section 4 respectively. 
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where assume the respective group secret key is the same as the secret key of 
individual scheme. 

Theorem 5^. If the conditions above satisfied, then S{tn,k) andGS{m,k\, 
...,kt)are indistinguishable, so do MS and GMS. 

Secondly, we consider the interaction between adversary A and dishonest 
member, i.e. A tries to impersonate honest members. For the sake of simplicity, 
we assume A has corrupt (t — 1) members out of all t participants. Take 
Ti) - threshold scheme for example and base our analysis 
on the assumption that the individual signature schemes 

fri = a*' mod p 
1 Si = yih{m) - kiT mod q 
is secure, where r = r^rj and r' is any extra public input. 

Theorem 5.3. Under the assumption above and conditions of theorem 3, 
-••ifmi’itni t,n)-threshoid scheme is secure against forgery. 

References 

[1] Rivest.R.L., Shamic.A.and Adleman, L., A method for Obtaining Digital Signatures and 
Public-key Cryptosystem. Comm.ACM Vol.21(2),1978. 

[2] EIQamal.L., A public Key Cryptosystem and a Signature Scheme Based on Discrete 
Logrithm, IEEE Trans. IT-31, 1985. 

[3] Y.Desmedt and Y.Frankel, Shared generation of authenticators and signatures, 
CRYPT0’91. Springer- VerUg, 1992. 

[4] L.Ham, Group-oriented (t,n)-threshold digital signature scheme based on discrete loga- 
rithms, lEE Pioc. Computers and Digital Techniques, Vol.141, No.5, 1994. 

[5] Jinn-Ke Jan. et al., A threshold signature scheme withstanding the conspiracy attack. 
Computer Communications, Vol.21, No.8, 1999. 

[6] Wang Gui-lin and Qing Si-han, A Threshold Undeniable Signature Scheme Without a 
Trusted Party, Journal of Software, Vol.l3,No.9, 2002. 

[7] Kazuo Takaragi, et al., A Threshold Digital Signature Issuing Scheme without Secret 
Communication, {takara,kunihiko,takihasi)@sdl. Hitachi.co.jp, 1997. 

[8] Shi Yi and FengDengguo, The design and analysis of anew group of (^,(,n)-threshold 
group-signature scheme. ChinaCrypto'2000. 

[9] Kaisa Nyberg, Rainer A.Rueppel, Message Recovery for Signature Schemes Based on the 
Discrete Logarithm Problem, EUROCRYPT'94, Springer-Verlag, 1994. 

[10] Lid], R. and Niederreiter, H., Introduction to Finite Fields and their Applications, London: 
Cambridge University Press. 1986. 

[11] Shamir A. How to share a secret. Communications of the ACM. 1979, 22{11). 

[12] Giuseppe Ateniese andBrenodeMedeiros.Efficient Group Signatures without Trapdoors, 
(ateniese,breno)cs.jhu.edu£-'2003. 




A NEW GROUP SIGNATURE SCHEME 
WITH UNLIMITED GROUP SIZE 



FU Xiaotong, XU Chunxiang 

lirformation Securiry and Privacy Institute. National Key Lab of ISN 

Xidian University, Xi'an. 710071, China 

fxtl@163.C0ni 



Abstract Group signature schemes are fundamental cryptographic tools that have many 
practical applications. We found there are some similarities between gtonp sig- 
natures and proxy signatures. A new gronp signatnre scheme with unlimited 
group size is proposed based on the heuristic idea of proxy signature sclrane 
with proxy signer's privacy protection. In this group signature scheme the group 
manager plays the role of the original signer, and the legal group members act as 
the proxy signers who delegate the original signer's signing power. The security 
properties of the new scheme are also discussed in the paper. 

Keywords: group signature, proxy signature, privacy and anonymity, cryptographic protocols 

Introduction 

Group signature introduced by Chaum and Heyst [1] allows any member 
of a potential large group to sign on behalf of the group. It is required to be 
anonymous and unlinkable for anyone except the designated group manager 
who can co-relate signatures and reveal the identity of the actual signer. At the 
same time, no one (including the group manager) can misattribute a valid group 
signature. Group signatures are claimed to have many practical applications at 
present. The salient features — anonymity and unlinkability — of group signa- 
tures make them attractive for many specialized applications such as e-voting 
and e-auctions. This implied that proxy signatures with proxy signer privacy 
protection could be applied to construct group signature scheme with unlimited 
group size. A proxy signature scheme [2, 3, 4], which is a variation of ordinary 
digital signature scheme, enables a manager (called original signer) of a com- 
pany to delegate his signing power to a reliable secretary (called proxy signer) 
who can sign on behalf of him. Proxy signature scheme with proxy signer 
privacy protection [5] is the signature that focuses on protecting the privacy of 
the proxy signer. Under this scheme anyone who only gets the proxy signatures 
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cannot determine the actual identity of the proxy signer. This property can 
guarantee the proxy signers' security when they sign on sensitive information 
or they do not want to release their proxy identities to other third parties. 

Mambo et al. [2] defined properties that a strong proxy signature scheme 
should provide: 

1 Strong Unforgeability: Only the legitimate proxy signer can generate a 
valid proxy signature; even the original signer cannot. 

2 Verifiability: Anyone can verify the signature and the signed message 
should conform to the delegation warrant. 

3 Strong Identifiability: Anyone can determine the identity of the corre- 
sponding proxy signer either directly or indirectly (in this case, original 
signer’s help is needed). 

4 Strong Undeniability: The proxy signer cannot repudiate the signature 
that he ever generated. 

A group signature scheme usually involves three entities: the group manager, 
group members, and the verifier, denoted by A, B and V respectively. The group 
manager is responsible for registering new user to the group, and only he can 
help a verifier to revoke the actual identity ofthe signer from the group signature 
in case of a dispute. 

Definition!: In general, a group signature scheme is defined by a family of 
procedures [6]: 

1 SETUP: A probabilistic algorithm, which generates the group-specific 
parameters. 

2 JOIN: A prospective member executes this protocol, interacting with 
the group manager, to join the group. The new member's outputs are a 
membership certificate and the corresponding secret. 

3 SIGN: A probabilistic algorithm outputs a group signature when given 
as input a message, the group public key, a membership certificate, and 
the associated membership secret. 

4 VERIFY: A Boolean-valued algorithm used to test the authenticity of 
signatures generated from above step. 

5 OPEN: An algorithm when given as input a message, a group signature 
on it, and other information needed, extracts the membership certificate 
used to issue the signature, and a non-interactive proof ofthe signature's 
authorship. 
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Definition2: The security properties that a group signature scheme must 
satisfy are as following [6]: 

1 Anonymity: Given a valid signature, identifying the actual signer of the 
group is computationally hard for everyone but the group manager. 

2 Unforgeability: Only legal members of the group can sign messages on 
behalf ofthe group; and other group members (even the group manager) 
cannot sign on behalf ofa group member, which means they can not forge 
a valid group signature and successfully attribute it to another legal group 
member. 

3 Unlinkability: Deciding whether two different group signatures pro- 
duced by the same group member is computationally hard. 

4 Traceability: The group manager is able to open a signature and identify 
the actual signer. Moreover, asignature signer cannotpreventthe opening 
of a valid signature. 

5 Exculpability: Neither a group member nor the group manager can sign 
on behalf of other group member. 

6 Coalition-Resistance: A colluding sub set of group members cannot 
generate valid group signatures that cannot be traced. 

In the following sections, this paper is organized as follows. In the second 
section we present a proxy signature scheme with proxy signer's privacy pro- 
tection. In the third section based on the proxy signature scheme in section 
2, a new group signature scheme with unlimited group size is proposed. In 
the fourth section we show the properties the new group signamre scheme sat- 
isfy. In the fifth section the relations between group signatures and the proxy 
signatures are discussed. The last section is our conclusion. 

1. Proxy signature with privacy protection 
1.1 Notations 

Through this paper, we define the system parameters in all schemes are as 
follows: Let p and q be two large prime numbers with qr|(p — 1), and g be 
a generator of order q in the multiplicative group ft(-) be a cryptographic 
secure hashfunction. (x 4 ,y/i) is the secret-public key pair ofuser A. A user 
6's identity denoted by IDb and we use \IDd \ to denote the user B whose 
identity is IDg, i.e. t-^Do| = B. Let a = Si^(m,a:. 4 ) be a DLP-based 
signature on message m using private key xa and Verify{m,s,yA) be the 
corresponding verification algorithm. Let “]]” be the concatenation of two 
strings. 
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1.2 An improved proxy signature scheme 
Identity blindness 

In this step, the original signer ^4 blinds all ofhis designated proxy signer’s 
actual identities by giving every proxy signer in her valid proxy signer set 
{IDs} a new identity called proxy identity. Thus the proxy signer can sign on 
behalf of the original signer while hiding his actual identity to obtain privacy 
protection. For example, to blind the identity of a proxy signer B. A randomly 
chooses a number ks €r Z^, and computes IDp = h{ko\\ID[}). A Sends 
IDp to B. The hash value IDp is the proxy identity of the proxy signer B. At 
the end of this step, original signer A records the tuple {IDp, IDp, kp), for 
later use of anonymity revocation. 

Delegating 

Original signer A uses Schnorr signature scheme to delegate his signing 
power to proxy signer B whose proxy identity is IDp. A chooses a random 
number Ha ^rZ‘, 

Computes = j*-* mod p 
Computes «,4 = XAh{IDp\\rA) + kA modp 

Then sends the ordinary Schnorr signature to IDp. S/t is the del- 

egating key of A. IDp verifies 8a by Schnorr signature verifying equation 
mod p, he accepts (r^, s^) if the equation holds. 

Proxy signing 

\IDp\, is actually B, produces his proxy key, denoted by xp 

Computes xp = 8 a + k 

Compute r = g'‘ mod p 

where k Qr is a random number. 

Then \IDp\ chooses one ofthe existing DLP-signature schemes to produce 
a proxy signature on massage Tfi. 

Compute a = St 5 n(m,a:p) 

the tuple {m,ayrA,TB,IDp,T) is a valid proxy signature on behalf of A. 
Verify 

To verify a proxy signature, a verifier first computes the proxy public key 
yp. Computes j/p modp 

Then verify the received proxy signature as ordinary signature scheme to 
conform whether the equation Ver[m,a,yp) = true holds or not. 

Anonymity revocation 

In case of a dispute, original signer can detect the actual proxy signer’s 
identity IDp from the recorded tuple {IDp, IDp, kp) by IDp in the proxy 
signature (m, (7, I'a, rp, IDp, r). 
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2 . Group signature with unlimited group size 

The proposed group signature scheme with unlimited group size contains 
five steps: 

Stepl: SETUP 

When a user B wants to join a group G, he first sends a request message to 
the group manager A to start the protocol. B is required to convince A that he 
is a qualified member to join the group G. The authentication of group member 
can be achieved by ordinary authenticate schemes. 

Step2: JOIN 

■ B generates a secret-public key pair (i, y), where i €r Zg, y = p* mod 
p, then sends the public key y together with his identity IDq to A. 

■ A generates a random number ks Zg and hashes it with IDb' The 
hash value I Dp is the blind identity for B, i.e. 

Computes IDp ^ 

■ A then signs B's new public key y and blind identity IDp together. 
The certificate also contains a warrant message wp, which states that 
the blind identity IDp is a legal member of group G. The certificate 
is (y,IDp,Wp,rA,SA)' To generate the certificate, A first chooses a 
random number kA €/i Zg, and computes r 4 ,S/i 

Compute T/i = mod p 

ComputeS/i = XAh{y\\IDp\\rA) + kA modp 

where xa is the secret key of A. the corresponding public key is 

A records (y, IDp,wp,IDo,ki3)3ind sends (y, IDp,wp,rA,SA) to B. 

Step3: SIGN 

Buses his private key x to sign a message m on behalf of the group G. He 
creates the signature by using a DLP-based signature scheme: 

Computea = Stgn(m,z). 

The group signature is the tuple; (m,tr,y, IDp,wp,rA, S/^). 

Step4: VERIFY 

When verifying a signature created by a legal group member, the verifier first 
verifies the warrant and the equation y*-* = modpto 

confirm the group manager’s authentication of the group member. If above two 
verifies were both correct, the verifier verifies the received group signature a 
by verifying-algorithm of the DLP-based signature scheme; Veryfy{m, a, y). 
If the value is true, the verifier accepts the group signature. 

StepS: OPEN 

In case of a dispute, the group signature protocol requires the group manager 
can identify the corresponding signer who produced the group signature by 
searching the database for the recorded tuple {y,IDp,v}p,IDB,kp) from the 
group signature tuple (m, (T,y, 
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A sends 7Z)fl,A:0 to the verifier. 

The verifier computes IDp = 

Compares whether JDp = IDp. 

If they are the same, the verifier is convinced that the signer of the group 
signature is the group member B. 

Thus, the actual identity of the group signer who produced the disputed 
signature has been revoked. 

3. Properties analysis 

1 Unforgeahility: 

In our protocol, obviously no one even the group manager can produce 
a legal group signature under the name ofil. This is because the group 
manager and other signers or parties (either legal or illegal) do not have 
the secret key x. Nobody can produce a valid signature a = Sign{m, x) 
under the name of IDp. 

2 Exculpability: 

The signature produced by a group member /£)/>cannot be successfully 
attributed to another. This is because the group signature [Tn,a,y,IDp, 
wp,rA,SA) contains group manager' s warrant wp on the group member 
who signed the massage. At the same time, the group manager and a 
group member having no group member’s secret key x could not generate 
signatures on behalf of other group members. 

3 Anonymity; 

Since the group signature [m,a,y,IDp,wp,rA,SA) does not contain 
any information directly related to the actual identity of B. no one can 
get anything useful to identify the actual signer from the group signature 
only. The group member's privacy is protected as proxy signer's privacy 
protection. 

4 Traceability: 

With the help of the group manager, {y,IDp,wp, IDp, kg) can be de- 
tected from the information provided by the group signature. The verifier 
can know the actual identity of the signer in case of a dispute. 

5 Verifiability: 

The verifier can be convinced that a valid group member creates the 
group signature. This is because the public key y used in verifying- 
algorithm is certified by the group manager, and the warrant contains 
the correlative information that states the blind identity in the group 
signature is the identity of a legal member of G. These two conditions 
hold only if the signature is actually created by a vahd group member. 
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6 Coalition-Resistance: 

By the use of the warrant uip and the Unforgeability property, any group 
members cannot collude together to generate a signature and successfully 
claim it as a valid group signature signed by a legal group member B. 

1 Unlimited group size: 

The group manager does not have to determine how many members the 
group had before registering new members. This is because adding new 
group members have no impact on the group and the former members. 
The administrator can also register new group members at any time. As 
a result, the group size is unlimited. 

4. Discussion 

Proxy signatures with proxy signer’s privacy protection and group signatures 
have the following similarities: 

Authentication: In both schemes, the proxy signer (the group member) has 
to get the authorization from the original signer (the group manager) before he 
possesses the signing power. 

Anonymity revocation: The signature created by any of the proxies (legal 
member in the same group) means the same to a verifier. If disputes do not 
occur, there is no need to identify which proxy (group member) created the 
signature. 

Traceability: Both schemes should have identifiability (Traceability) and 
anonymity (Unlinkability). 

Unforgeability: The valid signature belonging to a legal signer cannot be 
forged by anyone else. 

As a result, the group signature scheme presented in this section actually 
transforms the proxy signer of a proxy signature scheme to the group member 
of a group signature scheme. The new scheme satisfies the group signature 
scheme's basic security properties better. At the same time the group size is 
improved to be unlimited, which is a good property required by many group 
signatures. 

5. Conclusion 

In this group signature scheme with unlimited group size, the group manager 
plays the role ofthe original signer, and the legal group member act as a proxy 
signer who delegates the original signer’s signing power. The techniques devel- 
oped in our group signature scheme are suitable for the applications in which 
the signer's anonymity and identifiability are required, such as e-commerce, 
e-voting and e-auction etc. They can also be used in electronics transaction 
[4] and mobile agent environment [5], so the proposed group signature scheme 
would have a very wide range of applications. 
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Abstract Identity based cryptosystems can greatly reduce the reliance on the current public 
key certificates which needed to be obtained in advance, by deriving public key 
from identification information such as an email address or a public IP address 
which can uniquely identify the entity. In this paper, we present a new identity 
based signature(IBS) scheme based on quadratic residue problem(IBS-QR). It is 
a combination of identity based and mediated cryptography. Furthermore, it can 
solve the public key revocation problem easily. 

Keywords: idendty based signature, quadratic residue, digital signature scheme 

1. Introduction 

Nowadays, public key infrastmcture(PKI) plays an important role in au- 
thenticating and providing binding between the entities and the corresponding 
pubhc keys. It is a significant tool widely used in electronic commerce and 
secure communications areas. We notice that, under the current infrastructure, 
the certificate containing the signer’s identity and the claimed public key has 
to be obtained in advance or has to be sent along with the signature before any 
authentication or verification of signatures takes place. The cost to establish 
and maintain a Certificate Authority(CA) is heavy. Furthermore, cross domain 
verification is complicated and some problems related with certification revo- 
cation list are stiO left unsettled hke a “hot potato”. As so far, many CAs have 
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been set up but few of them succeeded. This is the main reason why individuals 
and organizations still keep caution when they plan to deploy PKI technology. 

Unlike conventional PKI, there is no need to obtain public key in advance in 
identity based cryptosystems. Also, there is no need to establish an CA center. 
Public keys of the signers can be constructed with their public unique identifi- 
cation information such as email addresses etc. Consequently, the side effect 
brought by the cross domain verification and certification revocation problem 
can be eliminated naturally in identity based signature schemes. In general, 
identity based cryptosystems bring fresh air and new ways for constructing 
public cryptosystems. 

The concept of identity based cryptosystems was firstly introduced by Shamir 
in 1984 [8]. Over the years, there is not so much development on this topic. Re- 
cently, Cocks proposed an identity based encryption scheme based on quadratic 
residue problem [3]. Boneh and Franklin developed another identity based en- 
cryption scheme BF-IBE based on Weil pairing [1). Afterwards, a number 
of identity based cryptosystems have been presented within these two years 
[2, 6,5, 9]. None of them except Cocks’s scheme is based on quadratic residue 
problem. In Cocks's scheme, identity encryption based on quadratic residue 
problem was used to transfer keys of the symmetric key algorithm. The effi- 
ciency of the scheme is quite low for 128-bit symmetric encryption key needing 
16K bytes of keying material or even double if the sender does not know she 
sends the square root of o or —a. 

In this paper, we present a simple identity based signature scheme based 
on quadratic residue(IBS-QR). The signature scheme has the following advan- 
tages; the proposed scheme has a large signing space. Plaintexts are not limited 
only to the quadratic residues as normal Rabin like signature schemes. The new 
scheme is secure against chosen-ciphertext attacks by using a secure one way 
hash function during the signature generation. Furthermore, the new scheme 
is a combination of identity based and mediated cryptography similar to the 
IB-mRSA developed in [9]. Our scheme however is based on quadratic residue 
problem. The purpose of the combination is to eliminate the possible compro- 
mise of the private key during the signature generation. Compared with the 
scheme presented in [9], the key generation in our scheme is much simpler and 
more efficient. From the reducing computation point of view, this improvement 
is significant 

The rest of the paper is organized as follows. Some basic notations is in- 
troduced in the next section. We give a detailed description of IBS-QR and 
analyze the security of the scheme in section 3. In section 4. we outline a 
possible application scenario ofIDB-QR. Finally, we make some comparison 
and conclude our work in the last section. 
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2 . Notation and related theorem 

In this section, we introduce some notations and related theorem which will 
be used in the scheme. 

Let n be an integer and = (A: 6 Zn | (k,n) = 1} be the multiplicative 
group of the integer modulus n, and o € The integer o is said to be a 
quadratic residue modulo n, if there exists an i € ^ such that S o mod n, 
Otherwise a is called a quadratic non-residue modulo n. The set of all quadratic 
residues mo^lo n is denoted by Qn and the set of all quadratic non-residue is 
denoted by , 

Let n = pq be a product of two different odd primes. Then o € ^ is a 
quadratic residue modulo n, if and only iia ^ Qp and a € Qg. 

The Jacobi symbol is a generalization of the Legendre symbol to an integer 
n which is odd but not necessarily prime. Let n > 3 be an odd integer with 
prime factorization n = Pi'p^^ ■ Then the Jacobi symbol (^) could be 

defined as follow. 




In addition, wedefine = {o € Z^ | (|) = 1}, and let - Q„ 

denote the set of false square root of modulo n. 

We get the following facts from [7]. If n is a composite and the factorization 
of n is unknown: 

■ There is no efficient procedure known for deciding whether or not a(€ Jn) 
is a quadratic residue modulo n other than by guessing the answer. 

■ It is believed that the quadratic residue problem is as difficult as factoring 
integers, although no proof of this is known. 

■ Finding square roots of a £ modulo n = pq is computationally 
equivalent to factoring the modulus n. 

Williams integer. A Williams integer is a composite integer of the form 
n = pq, where p = 3 mod 8 and q = 1 mod 8 are distinct primes. 

Theorem 1. Let I 6 Jn u = pq be a Williams integer. Then 

(Jli\ _ / I. if I € Qn 

\ ) \ n " I, if xe Qn 

where d={n-p-q + 5}/8. 

Proof. We know the fact that ifi £ Q„, then j;("'-P“9+5)/8 j^od n is a 
square root ofa; modulo n. Therefore, we have the result a?** = i mod n. 

Let us now consider the case where x £ Qn- It follows from the definition 
ofQn that, (i) = {j)(|) = 1 and (£) — (|) = -1. In addition, because 
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n = pg is a Wiliams integer, we can express p and q as the following forms: 
p = Sir + 3 = 4x\ + 3, g = 8l2 + 7 = Ax '2 + 3. According to the proper- 
ties ofLegendre symbol, it follows that (^) = (-l)(p-0/2 = _ 

-1, (:ii) = + i Then we get the fact that 

(f ) = (f ){§ ) = 1, (f ) = " that n - X (or -j) 

€ Qn- As mentioned above, we know that (n - = (n - a:) mod n. Now 

we can conclude that = (n - s (n - x) mod n when x € Qn- 



3. Identity based signature scheme based on quadratic 
residue probIem(IBS*QR) 

The basic idea behind IBS-QR scheme is the use of user’s public unique 
identity such as email address etc., for deriving user’s public key. All user within 
a system share a single common modulus n. The main feature ofidentity based 
signature is that there is no need to issue certificates which bind the identity ofthe 
certificate’s holder and the corresponding public key. Revocation problem can 
be solved easUy in identity based signature scheme in contrast to the complexity 
in current PKI systems. 

It is obviously insecure when all users share a same single modulus within 
the system. In RSA-like public key systems, sharing a single modulus subjects 
to a vulnerability of factoring the modulus and consequently facilitates com- 
puting the other user’s private key. Similarly, when sharing a single common 
modulus in a quadratic residue based identity signature scheme, the private keys 
of all users are the same. We approach the problem by introducing a mediated 
signer(MS) and split the private keys of users into two parts which are hold by 
the user and the MS separately so that no one possesses a complete private key. 
The same method was adopted in Ding’s Identity based system [9]. Now we 
turn to the setup ofthe signature scheme. 

The initialization work can be done by a trusted authority(TA). TA selects 
a Williams integer n, where n = pg, and p,q are primes near in length, as 
the public key of all system users. The system private key, (p, g, d) where 
d={n— p~q + 5)/8, is known only to the TA. 

For each user, TA selects a random r mod n(unique to each user) as the 
user-part private key, Then TA computes R = (d ~ r) mod n as the MS-part 
private key. MS collects all MS-part keys of all users and the users generate 
signatures co-operating with the MS. 

Let h(x) be a collision resistant hash function. 




Identity Based Signature Scheme Based on Quadratic Residues 



101 



3.1 IBS-QR signing 

1. Signature generation Suppose Alice be the signer, MS be the mediated 
signer(MS), Bob be the verifier and the message to be signed be m. In our 
case, we use the user's email address as the public identity(id). The signature 
generation process is shown in figure 1 and figure 2. 



Signing: Alice 



- Compule />(m||id),A(id) 

- Test whether gcd(h(m||id),n) = I or not 

If this is the case, the message m should be changed 

- Choose a as follows: 



{ 0, if 

ir 



SlslMl s -1 



so that mod n € Jn 

- Compute s' = {2“h(m||id))' mod n 

- Send the temporary result 5',o,m,id, h = h(s'||o||m||td) to the MS 



Figure I. Signing process 1 



Signing: MS 

• After receiving ^ ,a,m,id, verify the hash value h 

■ Choose the corresporkdlng key R according to Alice’s identity 

- Compute the final signature a = «'{2”h(m||id)}'' 

• 2 {2*A(m||»d))^ mod n 

- Send the linal signanire result (a, a) back to Alice 



Figure 2. Signing process 2 



During the signature generation process, the message should be changed if 
gcd(A(m||*d),n) ^ 1. Otherwise, it is possible to reveal the value of p or g*. 
The probability of {/i(m||*<f),n) ^ 1 is ^ 1 — i, which can be ignored if n 

is large enough in length. 

According to the literature [4], even without knowledge of the factoring of 
the modulus n, the Jacobi symbol can be calculated. 

Furthermore, we assume that the connection between MS and Alice is secure, 
for instance, using secure mechanisms such as VPN or sharing encryption key 
etc. 

2. Signature verification After receiving the pair (m, (s, a)), the verifier. 
Bob, calculates /i(m||td) using the Alice's email address which is already 
widely known. Then Bob tests the equation 3^2““ = A(m||td) mod n or 
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s^2 “ 5 n — /»(m||*rf) mod n. Bob accepts the signature only if one of the 
two equations is true. 

Theorem 2. With the choice of the message space and the integer a, we have 
2“ft(m||trf) mod n £ 

Proof. With the choice of the message space and the integer o, the Ja- 
cobi symbol equals to 1 or -1. Since n is a Williams integer, 

so 2 is a quadratic non-residue modulo n, which means {-) = -1. In ad- 
dition, it is obvious that gcd{2“ft(m||id),n) = 1. Therefore, the follow- 
ing conclusion can be easily obtained: which leads to the 

conclusion,2*/i(m|l*d) mod n £ J„. 

Theorem 3. If all parties involved in the signature generation carry out the 
protocol properly, then verifiers can make sure the signature is a valid one. 

Proof. Let (s,o) be a right signature of message m. By Theorem 2, with 
the choice ofthe message space and the integer o, 2f*ft(m||id) mod n belongs 
to In addition, n is a Williams integer, we know the fact from Theorem 1 
that 



a 22 -“ = {(2“ft(m||id))‘'}22-“ s 






a s= / if 2“h(m||*d) £ Q„ 

~\ n - /i(m|[id), if 2*h(m||td) £ 



Now we can conclude that, the signature verification process can make sure the 
validity of the signatures generated by IBS-QR. 



3.2 Security Analysis of IBS-QR 

Let n be a large composite with unknown factorization. Computing the 
square roots modulo n is believed to be as difficult as factoring large integer 
[7], We study the security of IBS-QR on the assumption that the modulus n 
can not be factorized. 

For using hash function in the scheme, IBS-QR is chosen-ciphertext attack 
resistant: given X, one can compute y = a? mod n, but finding z satisfying 
y = h{z) equals to computing the inverse ofhash function. Given z, one can 
compute y = h{z), but finding i is a quadratic residue problem. Furthermore, 
even if one has obtained a triple (aj), yoiZo) where x}) s yo mod U, and = 
/l( 2 :o),it is difficult to find another triple(xi ,j/|, zj) satisfyingxi^ = j /1 mod n, 
y\ = h{zi). Otherwise, either^i = Xo,Vi = l/o>t’utzi ft zo* which means that 
h(x) isnot a secure hash function, ora^ = = j/ mod nbutij ^ ®o mod n, 

which means that Xi -F Xq or Xi — Xo is one of the prime factors of modulus n. 
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This is impossible according to the assumption on the difficulty of factorizing 
the modulus. 

For splitting the private key into two parts, no party owns a complete pri- 
vate/public key pair. This protects the systems from revealing information of 
the modulus. The mediated signer, since only knows one part of the private, has 
no ability of signing the messages on behalf ofthe system users. Even when the 
mediated signer was compromised, the knowledge of all different R does not 
enable the attacker to factorize the modulus or sign messages in the name ofthe 
system users because the private key part of the users will never transmitted to 
the mediated signer in plain text and the attacker will not be able to compute the 
r-part from the former signing process view. The system will be broken only 
under the case that the attacker compromised the mediated signer and colluded 
with at least one of the users from the system. Since the r-part of the private 
key is only known to the owner, no one else in the system can initiate a signing 
process in the name of the owner. 

A possible attack is that Alice initiates a valid signature process with MS, 
and obtains a valid signature on m. Afterwards, she claims that this signature is 
from someone else, say. Bob. We would say this attack will not succeed because 
we have combined the signer’s identity into the signature. When the receiver 
verifies the signature, Bob’s identity(ft(m||irfoo6)) instead of Alice’s(A(m|| 
idAlice)) will be used, and that will result in a failed signature verification. 

Another possible forgery attack is as follows. Alice has the signature (m, (s, 
o)) signed by MS and herself. Then, she calculates the multiplicative inverse 
froms x = 1 mod n. 

Signing by Alice: 

(1) compute t = x mod n 

(2) send the temporary result f, x 2“h(7n||ida) to the MS 

Signing by the MS: 

(1) select the corresponding key R according to Alice’s identity 

(2) compute the signature a” s x {2“'ft(m'||td6) X 2“h(m||ido)}^ 

= {2‘^'b{m' ||tdt) X 2“/i(m||*do)}‘* mod n 

(3) send the result (a" , o^) back to Alice 

After receiving the pair (a” , a'), Alice calculates the final signature a^ = a” X 
s 2'^‘h{m'\\idi,)'^ mod n. Then, the forged signature for m' is (a', o'). 
But this attack does not work in our system because the MS will check the hash 
value based on the tuple s', o, m, id. 

The IBS-QR scheme is much more stronger ifwe assume that the connection 
between the MS and users are secure, say, using authentication and encryption. 
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4. Practical aspects 

We outline here one of the possible practical application scenarios to which 
IBS-QR scheme may be applied. 

Let’s consider the case when an organization, which has dozens of branches 
and thousands of employees all over the world with frequent flow of personnel, 
wants to deploy an internal signature system. Ifa conventional PKl architecture 
based on digital certificates system was adopted, the management cost ofpub- 
lishing certificates will be heavy. Even worse, because of the frequent personnel 
flow, the certification revocation listfCRL) will be very difficult and inefficient 
to maintain. Opposed to the conventional one, it is much convenient in IBS-QR 
scheme to revoke any private key-after the revocation, the MS simply rejects 
the signing request from that revoked user immediately-there is no delay. 

The occurrence of a mediated signer will not be a barrier to the usage of the 
system. EspeciaOy when this system is adopted by an organization as internal 
signature system-it is not difficult to set up and maintain such an on-line server 
as mediated signer center. 

As for computation cost aspect, compared with the normal signature schemes 
based on quadratic residue problem, h{id) times modulusmultiplicationinstead 
oftwo has to be calculated. However, on the other hand, there are less modulus 
multiplication in the signer’s side compared with most signature schemes. 

5. Comparison and conclusion 

We presented an identity based signature IBS-QR based on quadratic residue 
problem. The advantages ofIBS-QR are that there is no need to publish public 
key and revocation is quite simple. These features are completely distinguished 
from the conventional way. The verifier can construct the public key of the 
signer through the public available information. We list some advantages of 
the presented scheme as follows. 

■ There is no need to establish a or more Certificate Authorities to issue 
certificates which bind the identities and the corresponding public keys. 

■ There is no cross verification problem. 

m The revocation is quite simple. Under conventional PKI infrastructure, 
CRL (certificate revocation list) is issued to withdraw certificates and 
withdraw the public keys contained in these certificates as well. The 
problem is that whichever way to publish the CRL, there is delay. In 
IBS-QR scheme, there is no delay-when a public key is withdrawn, the 
MS simply stop providing the signature service for the corresponding 
entity. There is no delay. 
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The similar architecture has been adopted also both in BF-IBE and IB-mRSA 
while different cryptographic primitives were used. BF-IBE used the ellip- 
tic curve primitive and RSA was used in IB-mRSA. IBS-QR is based on the 
quadratic residue problem. All these schemes need a mediated center, or may 
be caUed as trusted thirty party. IBS-QR provides the same revocation mecha- 
nism as in IB-mRSA. While BF-IBF provides only a periodic revocation instead 
of a fine grained revocation as in IBS-QR and IB-mRSA. IBS-QR has almost 
the same performance as IB-mRSA, but better than BF-IBE as pointed by [9]. 
Compared with IB-mRSA, IBS-QR provides much more balance between sign- 
ing cost and verifying cost. In addition, IBS-QR has much higher efficiency in 
key generation compared with BF-IBE and IB-mRSA. In IB-mRSA scheme, 
the key generation process is the same as normal RSA like algorithms. Modular 
inversion operations have to be done towards getting the private keys. While in 
IBS-QR, the only operation needed is to choose a random integer. 

The use ofmediated signer makes the system remaining secure while sharing 
a single modulus among all system users. For splitting the private key, the 
system as a whole is unforgeable and undeniable. 

Furthermore, the signing message space is now not limited to the quadratic 
residues modulo n. 

We try to construct signature scheme from a new angle and facilitate the 
using ofpublic key system. It still remains uncertain whether an on-line medi- 
ated signer can run efficiently or not. Some testing implementation, if possible, 
should be conducted in the near future. In addition, the verifying process is 
more expensive compared with normal quadratic residue problem based signa- 
ture schemes(only two modulus multiplication needed). Further investigation 
should be continued on these aspects. 

Notes 

I. As we know, n — pf. pand q are ihe only factor ofn. If gcd{h(m|)td),n) ^ 1. tben h(m||td) 
must be the form ofiporj'q, where I € Q~ land i' € p — 1, Soilismucheasiertogellhefaclorpor^ 
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Abstract In 19W, HeandKieslerproposedadigitalsignalurescheraewhich was claimed to 
be based on the factoring problem and the discrete logarithms problem. This paper 
shows that any attacker can forge the signature of He-Kiesler scheme without 
solving any hard problem. A new digital signature scheme is proposed, the 
security of which is based on both factorization problem and discrete logarithms 
problem. 

Keywords: cryptography, digital signature, factoring, discrete logarithms, security 

1. Introduction 

In 1994, Ham [1], He and Kiesler [2] proposed digital signature schemes 
based on two hard problems-the factoring problem and the discrete logarithms 
problem. Since then, many digital signature schemes based on these two hard 
problems were proposed [3, 4, 5, 6]. Unfortunately, most of them have shown 
to be insecure [7, 8, 9, 10]. Forexample, in 1995, Ham [7] showed that one can 
break the He-Kiesler scheme [2] if one has the ability to solve the factorization. 
At the same year, Lee and Hwang [8] showed that if one has the ability to 
solve the discrete logarithms, one can break the He-Kiesler scheme. This paper 
shows that any attacker can forge the signature of He-Kiesler scheme without 
solving any hard problem. Instead, we propose a new digital signature scheme, 
which is secure if one cannot solve the factorization problem and the discrete 
logarithms problem simultaneously. 
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2. He>Kiesler scheme and a simple attack 

2.1 He-Kiesler scheme 

Let p be a large prime such that p — 1 has two large prime factors pi and q\ . 
Let n =Pi 9 i, and lett; be a primitive element, or an element of large order, of 
GF(q). Note that if a common p is used by all users, the two factors of n must 
be kept secret from every user (actuaDy these two factors will never be used by 
anyone, and thus can be discarded once n is produced). 

Any user A has a secret key ii (I < ii <n) such that gcd(xi,p — 1) = 1. 
From X 1 constructed the quadratic residue x = mod (p — 1 ) and correspond- 

ing public key y — ^ mod p, To sign a message m, A does the following 

1 ) Randomly chooses an integer <i (I < < n) such that 

gcd(ii,p - 1) = 1, and calculates t = ^ mod (p - 1) 

2 ) Computes c = Xiti mod (p - 1) 

3 ) Computes r = p** mod p and makes sure that r ^ 1 

4 ) Finds s such that 

m = xr + <s mod (p - 1) (1) 

5 ) Sends Sig(m) ~ (r, a, c) as the signature. 

To verify that(r, a, c) is a valid signature of m, one simply checks the identity 

2.2 A simple attack 

Let (r, a, c) be a signature of a known message m. From (1) we have 
mx = x^r ■+ six mod (p - 1). 

Since = <x mod (p — 1), the attacker obtains the second-order equation 
as 

ri^ - mx -I- ac^ = 0 mod (p - 1) (2) 

Assume that (r*, s',cf) is a signature of a known message m' such that mr' - 
m'r 7 ^ Omod (p — 1). Then the attacker obtains another second-order equation 
as 

r'l^ - m'x + s'c'^ = 0 mod (p - 1) (3) 

Now the attacker can easily obtain x and aP by solving (2) and (3), and obtain 
tfrom X by solving (1). 
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Although the attacker cannot calculate the secret key from the signing 
key X, he can forge the signature ofthe signer A as follows. To sign a forged 
message m", he chooses an arbitrary signature (r, S, c) and finds a such that 
the following equation 

m" = rx + ffl"mod(p - 1) 

is satisfied. The signature ofthe message ml' is (r, s", c). 

3. Modified He-Kiesler Signature Scheme 
3.1 The new scheme 

Let p be a large prime such that p — 1 has two large prime factors pi and qi . 
Let Ti = Pi9i, and letp be a primitive element of GF(q). User A has a secret 
key X (1 < I < n) such thatgcd(l,p — 1) = 1, The corresponding public key 
isy ~ mod p. To sign a message m, A does the following 

1 ) Randomly chooses an integer t (1 < < < n) such that 
gcd(«,p- 1) = 1. 

2 ) Computes rj — j** mod p and makes r 2 = ^ mod p and makes sure 

that rj 7 ^ 1 

3 ) Finds s such that 

mf"* = xri + mod (p - 1) (4) 

4 ) Sends Sig{m) = (n>^2.3) as the signature. 

To verify that (ri,r 2 ,s) is a valid signature ofm, one checks the identity 

(5) 

Now we show that ifthe signer follows the above protocol, the recipient always 
accepts the signature. From (4) 

- 2ms^ mod {p - 1) 

so that 

m^t~^ + = x^rf + 2ms^ mod (p - 1) 

hence 



Therefore, (5) holds. 
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In the He-Kiesler scheme, the signer does not need to know how to factor 
p — 1 , thus it is possible for every user to employ the same modulus p, where 
p is the modulus commonly. But in the new scheme, every user must employ a 
differentmodulus p, and know how to factorp — 1 . 

In (4) and (5) of the new scheme, Ifm is replaced by h{r\,r 2 , m), where h 
is a collision-free one-way hash function, the new scheme is more secure. 

3.2 The security of the new scheme 

As to the security of the new scheme, note the following. 

(1) To recover x from public key y = ^ mod p it is necessary to compute 
both the discrete logarithm of y modulo p (obtain a:^), and the square root of 

modulo n to obtain x. 

(2) To recovera;from(4)itis necessary to compute both the discrete logarithm 
of ri modulo p (obtain and the square root of i^modulo n to obtain (*, or 
to compute both the discrete logarithm of modulo p (obtain t~^), and the 
square root of modulo n to obtain t~ * . 

(3) Even if an attacker has the ability to compute the discrete logarithms 

modulo a large prime number p, he can recover from J/, rj,r 2 , re- 

spectively. To forge the signature of for any message rri, the attacker must finds 
s' such that 

= xTi + mod (p - 1 ) 

so that 

= m'H-^ + ty‘' - 2m' s'^ mod (p - 1 } 

To solve s' from above equation he must be face with another difficult problem: 
factoring p — 1 . 

(4) Assume that a signature (ri,r 2 i s) of a known message m is given. It is 
then possible for the attacker to establish the following equation as 

mod (p - 1 ) 

To sign a forged message m', he finds an s' such that the following equation 

- s'^ - xrit~' mod (p - I) 

From above two equations it follows that 

- m't~^ mod (p - 1 ) 

To recover s' it is necessary compute both the discrete logarithm of 75 modulo 
p (obtain and the square root ofs'^ modulo n to obtain s'. 
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4. Conclusion 

We have shown that any attacker can forge the signature of He-Kiesler scheme 
without solving any hard problem. A modified He-Kiesler signature scheme 
is proposed, the security of which is based on both factorization problem and 
discrete logarithms problem. 
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Abstract In this paper, we will propose an new transitive digital signature scheme, which 
is generalized realization based on discreted logarithm problem. We also show 
that our new scheme is proven transitively unforgeable under adaptive chosen- 
message attack assuming discreted logarithm problem is hard. 
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Introduction 

Recently, Micali and Rivest first introduced the concept of transitive digital 
signature, which is that of dynamically building an authenticated graph, edge 
by edge[MicaRiv], Informally, this is a way to digitally sign vertices and edge 
of a transitively closed graphed G, so as to guarantee the properties of Transitive 
andUnforgeable. 

These new features are the algebric properties, and have many interesting 
applications. For a undirected example, where the graph represents a set of ad- 
ministrative domains. The nodes represent computers and an undirected edge 
means that u and tJ are in the same administrative domain. Again, it is clear 
that if u and ti are in the same administrative domain and v and w are in the 
same administrative domain, the uandu> are in the same administrative domain. 
According to the above concept, Bellare and Neven designed some novel re- 
alization of transitive signature scheme based on factoring and RSA[BellNev]. 
And these schemes are proven transitively unforgeable under adaptive chosen 
message attek assuming that factor is hard. 
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In this paper, according to the formal definition of transitive signature, de- 
scribed by Bellare and Neven in [BellNev], we will design an new transitive 
signature scheme based on the discrete logarithm problem. The new scheme is 
very different with Micali and Rivest's scheme. 

1. Definitions 

In this paper, all graphs are undirected. A graph G* = is the 

transitively closed if for all nodes i,j,k € such that [i,j € £*} and 
€ i/’,it also holds that {i,fc 6 E"}. In other words, the transitive 
closure graph G*, E* ofG = (V, E) is defined to have V* = V and to have an 
edge i, j in E* if and only if there is a path (oflength zero or greater) from i to 
j in G. 

Transitive signature scheme: 

A transitive signature scheme TS = (TKG, TSign, TVf, Comp) is specified 
by four polynomial-time algorithms, and the functionality is followings: 

■ The randomized key generation algorthm TKG takes input 1* , where k € 

1. 2. . .., is the security parameter, and returns a pair {tpk, tsk] consisting 
of a public key and mathcing secret key. 

■ The signing algorthm TSin takes input the secret key tsk and nodes 
i,j € 1,2,..., and returns a value called an original signature of edge 
(i, j} relative to tsk. 

m The deterministic verification alogrithm TVf, given tpk, nodes i,j £ 

1. 2. . .., and a candidate signature a, returns either 1 or 0. In the former 
case, we say that cr is a valid signature of edge {i, j) relative to tpk. 

■ The deterministic compostion algorithm Comp takes tpk, nodes i,j,k 6 

1.2.. .., and values cri,cT 2 to return either a value a or a symbol X to 
indicate failure. 

Correctness of transitive signature scheme: 

In practice, it is desirable to allow users to name nodes via whatever identifiers 
they choose, but these names can always be encoded as intergers, so we make 
the simplify assumption that the nodes of the graph are positive intergers. 
{tpk,tsk)^TKG{l‘^) 

5 <- fl; Legit <- true; NotOK false 

Run: A with its oracles until it halts, replaying to its oracle queries as follow: 
If A makes Tsign quer i,j then 
If i ~ j then Legiet <— false 
Else 

Let tr be the output of the TSign oracle and let 5 <- S U {({h o')} 

If TVf(tpk,i, j,cr) = 0 thenNotOK<- true 
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If A makes Comp query i,j-,k,CT]_,a 2 then 
If({j, j}) ^ 5] or t, A are not all distinct, then Legit false 
Else 

Let a be the output of the Comp oracle and let S 5 U {({*i j}i h")} 

Let T t- Tsign(<sfc, i, k) 

If (a ^ t} or TVf (tpk, i, k, a) = 0] then NotOK t— true 
When A halts, output (Legit A NotOk) 

According to the above steps, the meaning of the correctness of a transitive 
signature schemem is that it is impossible for every alogarithm A to make a 
legitimate query and return a signature differs from the original one. 

Definition 1 We say the transitive signature scheme TS=(TKG, Tsign, TVf, 
Comp) is correct if for every alogarithm A and every k, the output of the 
experiment of Figure 1 is true with probability zero. 

The experiment computes a bollean Legit which is set to false if A ever makes 
an illegitimate query. It also compute a boolean NotOK which is set to true if 
a signature returned by the composition algorithm differs from the original one. 
To win , A must stay legitimate (meaning Legit=true) but violate correctness 
(NotOK=rrHe) The experiment returns true with probability zero. 

Security of transitive signature scheme: 

For transitive signature scheme TS=(TKG, TSign, TVf, Comp) with the 
security k £ N, Expy 5 y?(/;) denotes the attacked experiment done by ad- 
versary F. ExPt '5 p{k) returns 1 if and only ifFis successful in its attack on 
this scheme. The experiment begins by tuning TKG in input 1* to get keys 
(tpk, tsk). If we are in the random oracie model, it also chooses the appropriate 
hash functions at random. It then runs F, providing this adversary with input 
tpk and oracle access to the function TSign(£aA:, ,).The oracle is assumed to 
maintain state or toss coins as needed. Eventually, Fwill output 6 N) 
and some value o'. Let F be the set of all edges {a, 6} such that F made oracle 
query a,b, and let Vbe the set of all intergers a such that a is adjacent to some 
edge E. We say that F wins if cr^ is a valid signature of relative to tpk, 

but edge {i*, is not in the transitive closure G* of graph G = (V, E). 

The experiment returns 1 if F wins and 0 otherwise. The advantage of F in its 
attack on TS is the function Advj 5 _p(Ar) defined by 

Advr5,F(*) = •P»‘[Exp7'5,/7(fc)], 

the probabilkity being over all the random chocies made in the experiment. 

Definition 2 We say that TS is transitive unforgeable under adaptive chosen- 
message attack if the function Advrs^rik) is negligible for any adversary F 
whose running time is polynomial in the security parameter k. 
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1. New undirected transitive signature scheme 

In this section we describe an new transitive signature scheme for working 
on undirected graphs, it is based on the difficulty of the discrete logarithm 
problem. 

Standard signature scheme 

Our new scheme use an underling standard digital signature scheme SDS= 
(SKG, SSign, SVf), where SKG is polynomial time key generation, SSign 
is signing algorithm, and SVf is verification algorithm. We use the security 
definition proposed by Goldwasser, Micali and Rivest in [GoldMic].A forger 
B is given adaptive oracle access to the signing algorithm, and its advantage 
AdV 5 £) 5 ,a(ft) in breaking SDS is defined as the probability that it outputs a 
valid signature for a message that was not one of its previous oracle queries. 
The scheme SDS is said to be secure against forgery under adaptive chosen 
message attack ifAdvsDS,B{k) is negligible for every forgery B with running 
time polynomial in the security parameter k. 

Discrete logarithm problem 

A modulus generator is a randomized, polynomial time algorithm that on 
inputl*returns a triple (p,q,p),wherepand ^ are large primes, 2*'“^ < p < 2*^, 
such that q divides (p — 1) and g E is a generator of order, the group 
generated by g is denoted by Gq. We do not restrict the tpye of generator, but 
only assume that the associated discrete logarithm problem is hard. Formally, 
for any adverary A and any k E N, we let 
AdV(MG.A)t>l-p(fc) 

= Prjy = g®modp ; (p,q,g) t- MG(l*);Vy € Z*\x 4- A{k,p,g,g,y)] 

We say that discrete logarithm problem is hard if function Advfj^jQ 
is negigible for every A whose running time is polynomial in k. 

New transitive signature scheme 

Given a modulus generator and a standard signature scheme SDS=(SKG, 
SSign, SVf), we design a new transitive signature scheme DLPTS=(TKG, 
TSign, TVf, Comp) as follows. 

■ Given input 1*, the key gerneration algorithm TKG first runs SKG on 
input 1* to generate a key pair {spk, ask) for the standard signature 
scheme SDS. It then runs the modulus generator MG on input 1* to get a 
triple p, q,g. It outputs tpk = (p,g,g,3pk) as the public key. Let 5 = 0, 
Legit=rrae, NotOk= / abe. 

■ The signing algorithm TSign maintains state (V,^, Y, E), where V C N 
is the set of all queried nodes, the function i : V —> Z^ assigns to each 
node i E N a secret label ^(i) € Z^, while thefunction Y \ V -> Z^ 
assigns to each node i € V a puvlic label y, and thefunction E ; V 

0, I* assigns to each node i a standard signature on (t||jt) under secret 
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key ssk. When invoked on inputs tsk,i,j, meaning asked to produce a 
signature on edge t, j, it does the following: 

If i =s j,then Legit <— false 

U j <i then I <r- i\i ^ I II swap i and j 

If i ^ V then V V U {*}; t{i) t- Z^; yi = p; 

S(i) <- SSign(ssfc,{t||)/i)) 

If; ^ Vthen V <- VU {;};£(;) <- Z*^\yj = g^^^^modp; 

E(;} SSign(asfc, (ijli/j)) 

5 <r- [i(i) - i{j)]mcd q; Ci t- *- (i,y>,S(;)) 

5 t-5u {[(*,;•), cr]} 

If TVf (fp/f,i,;,ff) - 0, then NotOK t- 
We refer to (l,pj,E(l)) as a certificate of node I 
Return (Ci, Cj,S) as the signature of {*,;}• 

Return Legit A NotOK 

■ The verification algorithm TVf, on input tpk — (p,g,g, spk), nodes t, J 
and a candidate signature a, proceeds as follows: 

If; < t then / j', j i;i i- I II swap t and; 

LetCT = {Ci,Cj,6), and Ci = (i,i/i, E(t)), andC; = (;,yj.E(;)) 
IfSVf(apA;,j(|yi,E(*)) =0 orSVf(apA:,;i|yj,E(;)) = 0, 
then return 0 

Ifyj(l/j)“’ = y^modp then return 1 else return 0. 

■ The composition algorithm Comp takes nodes i,j,k, a signature a\ = 
(C'i<C' 2 ,^i) ofthe edge (i,;), and a signature CT 2 = (C^ 3 .^ 4 .^ 2 ) of the 
edge [j,k), and processds as follows: 

If [{t,;}) ^ 5] or [{;,fc}) ^ 5] or t,;,ifcare not all distinct, 
then Legit 4— false 

Let Ci G {Cl, C 2 }, and Cj = (i, yi, S(*))- 
Let Cj € {Cl, Cz}, and C; = (;,y;, 2(;)). 

If Cj ^ {C 3 ,C 4 }, then return X. 

Let Cfc e {Cs, Ca], and C*, = (A:,v*.S(fc)). 

If t < ;■ < fc; then ^ (rfi + rfz); Return {Cu Cg, 

Ifi < k <j; then# 4- (^| -^ 2 ): Return (Ci,Ci,S) 

If; < i < k; then 6 4— (— 5i -f ^ 2 ); Return (Ci,Cfc,^) 

If* < t < ;; then 5 4 - (-^i + ^ 2 ); Return (Cj.Cfe.i) 

If; < fc < t; then 5 4- (5i - ^ 2 ); Return (Ci,Ck,6) 
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Ifk < j < *; then5 f- (^i + ^ 2 ); Return (Ci.Cfe, 5) 

a f- [Ci.Ct.iS], S «- ■5u[[(i,j),a]) 

Let T t- Tsign(i!sfe, i, k) 

If (a ^ r) or TVf {tpk,i,j,o) = 0, then NotOK true 
Return Legit A NotOK 

3. Correctness 

In this section, we will prove the correctness of this new scheme. We first 
have the following lemma. 

Lemma 1: Suppose that G* = (V*,E*) is a transitively closed graph. We 
will make transitive signature on this graph with above DLPTS. Let S be the 
set of edges and corresponding signature in processing Tsign algorithm. For 
€ S, we have the following equations. 

Proof: In DLPTS transitive signature scheme, there are two algorithms gener- 
ating new element ({*, j}, cr) to be added to S, one is Tsign, other is Comp. 
At the beginning ofDLPTs, S = 0 
Firstly, we consider the Tsign oracle query with {t, j}. 

If i = legit is set to false, and the stop Tsign, no new element is added 
to S, so the above claim is right. 

Else, a new element is added to S, where <7 is the output of 

Tslgn(faA;, i,j). 

If t < y, (7 = [(«, Y (i), S(t)), (y, Y (j), S{y)}, ^)], where S = {£{i) - £(j)y, 
Ify <i,(7 = [0',l'(y),2(y)),(i,l'(»),S(i)),^)j, where J = (£(;)-£(*)); 

Therefor, the newly added element ({i,y},o) satisfies the above Equation 
(1). Because Tsign only adds new element to S, but never changes existing 
elements in S, after the Tsign oracle query, all elements of S still satisfie the 
above Equation (1). The above claim is right. 

Second, we onsider the Comp oracle query with i,y, k, c7i,S2. 

If {{t,y}, tTi §5 S) or ({y, A}, <72 ^ £■) or t,y, ft are not all distinct, then legit 
is set to false, and the stop Comp, no new element is added to S, so the above 
claim holds true. 

Else, the composition algorithm is run, and a new element ({t,ft},^) is 
created, and is added to S, where S = Comp(fpft,i,y, ft, 01 , 02 ). 
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Depending on the relations between and k, the variable 6 inside the 
compostion algorithm gets diferent values as following. 

If i < ; < *, = (^(i) - 5, = m - mi 

If i < * < 3, S, = (^(i) - t{j)l 52 = {m - l(j)l 

If j < i < fc, 5, = (€0) - 52 = Wj) - mi 

6 = (-5, + 52) = (^(0 - mi 

ifk<i<jji = m-m, 52 = im - mi 

5 = (-5i + 52) = (£(fc)-^{0): 

If 3 < fc < t, 5, = {£ 0 ') - mi h = (£ 0 ) - mi 

5 = (5i - 52) = (£(fc) -£(*)): 

If fc < J < t. 5i = m - mi h = (£(fc) - £(i)). 

5 - (5i + 5a) = (£(fc) -£{»)); 

Therefor, the newly added element ({i, fc}, 5) satisfies the above Equation 
(1). Because Comp only adds new element to S, but never changes existing 
elements in S, so all elements of 5 still satisfie the above Equation (1). The 
above claim is right. Lemma 1 has been proved. 



In order to verfify the validity ofany ((i,j),<T) € 5 in the DLPTS transitive 
signature scheme, where a — [(t,y’(t),S(t)), (j,y0), E(j)), 5)], we must 
verify the following two equations. 



(1) SVf(apfc,i|iy(i),S(t)) and SVf{3pfc.j||yO), E(j)). and 

( 2 ) y(i)y(j) ^=g^modp 



For Vj 6 V, E(*)=SSign(aafc,i||y(i)), SSign is one section of a standard 
signature scheme SDS, SVfis the signature verifing sectin in the same SDS, so 
the SVf(spfc, t||y{t), 2(t)) is true. 

On the other hand, from the Lemma 1, Z S,tJ = {(*,y(t)i 

{j,Y{j), 2(j}),5)], we have the equation y{*) = ^Y{j) mod p. 

Lemma 2: Atany time in DLPTS transitive signature scheme, V({i,j), a) € S, 
we have the following equations. 

TVf(ipfc.i,j» = l (2) 

Lemma 3: The variable NotOK in DLPTS transitive signature scheme can 
never become true. 



Proof: By the above lemmas, the verification of a signature in S always suc- 
cessds, meaning that for any {{i,j),o) € S, we have TVf(fpfc,t, j.cr) s 1, 
so the only way left for NotOK to become true in DLPTS transitive signature 
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scheme is when a ^ r in a compostion algorithm Comp(i, j, k, ai , CT 2 ). The 
output of the signature algorithm Tsign((t, k),a) for edge (t, A) is t as follows. 

^ ((i, K(0, E(*)), (fcT(fc). S(fc)), W) - ^(A))] if i < k 
^ M(fc,r{A),s{fc)).(i,y( 0 ,s( 0 ),(f{A)-f(i))]irA^ ' ' 

The output of composition algorithmConip(i, j, A, (Ti , ^ 2 ) in DLPTS transitive 
signature scheme is c as follows. 

a = [(i,r{ 0 ,SW),(A,y(A),E(A)},J) (4) 

where 6 = { ^ is exactly o. The Lemma 3 

has been proved 

Theorem 1: The DLPTS transitive signature scheme described in section 3 
staisfies the correctness requirment of Definitin 1. 

Proof: The DLPTS transitive signature scheme will return (Legit A NotOK) 
at the end of its execution. From the above lemmas, we see that it is impossible 
for (Legit ANotOK) to return rrae. Thereby, we have proved the correctness 
of DLPTS transitive signature scheme. 

4. Security 

This section discusses the security of the new scheme under the assumption 
of intractability of discrete logarithm problem. As with any signature scheme, 
proving security means proving an adversary will not able to forge new signature 
even ifhaving seen some previous legitimate signatures. 

In the transitive signature scheme DLPTS = (TKG, TSign, TVf, Comp), 
TVf is the verification algorithm. On input a signature <7 = (CJ, Cj, 5) of {(, j}, 
where Cj = (i,y’(i), E(i)), Cj = {i,y’(j),E(j)), the verification alogarith 
verifies the following equations. 

SVFlspk, <||y(i), E(t) = 1, where (< = i, )). (5) 

K(i)F( 7 )"‘ —g^modp, ifi < y, else swap i and y ( 6 ) 

The former equation is about the signature verification of the digital standard 
signature SDS=(SKG, SSign, S VF), the later equation is additional verification 
oftransitive signature scheme DLPTS. Having passed ail above verifications, 
we say that this signature is valid. 

Given parameter (p, q, 9 ), we have the following lemma. 

Lemma 4: For any V’(j)), solving the S ^ Gq form following equation 
is equal to discrete logarithm problem, where Y {j) are random in 

Y{i)Y{jr'=9^nodp 
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Proof: We denote the above problem to DLP*. 

First, we have DLP => DLP*. 

Letarj = DLP(y’(i}), Xj = DLP(y(j)),then 5 = (ij - Xj)mod q, which 
satifies y(t)y(j)~‘ =g^modp. 

Second, we have DLP <= DLP*. 

Let y = Y{i)Y{j)-^modp, 6 = DLP’(y(i),V"(j)), and i = <5, then 

y = g^mod p. Because y(t) and Y{j) are random in Z^, so Y also are 
random. This means that for a y g Z^, which is random, we can get a x 
satisfing Y = g^mod p. 

Lemmma 4 has been proved. 

Suppose we are given a polynomial-time algorithm forger F for DLPTS. A 
is a algorithm to compute DLP whose parameters are generated by MG, and 
B is attacker to the standard digital signature SDS. tpk = (p>9.ff))5p^ is a 
public key for the transitive signature scheme. ForV(*,j) € iV, once F is done 
querying its oracle, it will output a signature ((*, j),^) ofthe edge {i, j}, where 

Let G* = (V. E*) denote the transitive closure ofG = (V, E), and 81 , 82 , 
B 3 are three objects, which are difined as following. 

B, = {TVf(tpA,i,j,cr)#l} 

B3 = {V't ^ l'(t) orYji^Y(3)) 

Because (i, j) are randomly chose in Z, and t :V Z^ is a random func- 
tion, so y(t), y [j) are arbitrary in Z^. From lemma 4, we have the following 
equation. 

= Pr(S7)>Pr(BTAB;AB^) (7) 

= Pr(S;|:^ A i;)Pr(57 A ft) (8) 

= Pr(B3|Bj AB2)AdvDLPTS,F(A:) (9) 

Algorithm B will perform a chosen-message attack on standard digital signature 
SDS using F as a subroutine. It is given access to a signing oracle SSigi\afc(.) 
and is considered successful if at the end of its execution, it outputs a valid 
signature pair relative to spk where the message was not one of its former 
oracle queries. IfF outputs its forgery ((i, j), o) ofthe edge {i, j}, where a = 
((», yj, i5), suppose that B\ and are not true, and = y(i) 

and Vi = Y(j), at least one ofthe signatures Ej and Ej must be a forgery. B is 
successful when these evens Bi, B2,and B3 happan simultaneously. 

we have the following equation. 

AdvsDS,B(*) = Pr(5iA52AB3) (10) 

= Pr(S3|B7A5;)Pr(BrAft) (II) 

= (l-Pr(ft|5TAft])AdvDLPTS,F(A:) (12) 
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From formulas (9) and (12), we have Lemma 5. 

Lemma 5: In DLPTS transitive signature scheme, F is a polynomial-time algo- 
rithm forger, A is a algorithm to compute DLP whose parameters are generated 
by MG, and B is attacker to the standard digital signature SDS. For all k, we 
have the foilwing equation. 

AdVDLPTS,F{fc) < + AdVsDS,B(fc) (13) 

The hardness assumptions of DLP and SDS mean that both Adv^Q^y\(fc) 
and AdvsDs^B (A:) are negligible in k for all alogarithma A and B with running 
time polynomial in A. By the above lemma 5, this implies that AdvDi,pTs,F(^) 
is negligible for any polynomial time forger F. 

We have the following theorm 2 with DLPTS transitive signature scheme. 

Theorm 2: If the DLP is hard, and standard digital signature SDS is secure 
against forgery under adaptive chosen message attack, then DLPTS transitive 
signature scheme is unforgerable under adaptive chosen message attack. 

We have proved the unforgeability of DLPTS transitive signature scheme. 

5. Conclusion 

In this paper, according to the formal definition of transitive signature, de- 
scribed by Bellare and Neven in [BellNev], we design an new transitive sig- 
nature scheme based on the discrete logarithm problem. The new scheme is 
different with Micali and Rivest's scheme. In the our scheme, there are two 
signature algorithms , one is for signing node, another is for signing edge. So 
it is more generlzed tranistive signature scheme based on discrete logarithm 
problem. With random oracle model, we also prove the coirecmess and the 
tansitive unforgeable ofthe new scheme under adaptive chosen-message attack 
assuming discrete logarithm problem is hard. 
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Abstract In this paper, the authors propose a generalized blind GOST signature scheme 
and three practical blind GOST signature schemes educed from the proposed 
generaUzed scheme by setting one of three parameters be a constant. 

Keywords: cryptography, digital signature, biind signature, GOST 

Introduction 

Blind signature, first introduced by D.Chaumin [1] at Ctypto'82, is a variant 
of digital signature schemes, which aUows the requester to get a signature with- 
out giving the signer any information about the actual message or the resulting 
signature. Several signature schemes have been turned into blind signature 
schemes. 

The first blind signature scheme that based on RSA signature scheme was 
proposed by D.Chaum in [1]. In [2] T.Okamoto proposed the blind Schnorr 
signature and D. Pointcheval proved its security in [3]. The blinding schemes 
of the modification of DSA and Nyberg-Rueppel message recovery signature 
scheme are presented in [4] by J.L.Camenisch. D. Pointcheval gave a blind- 
ing of Okamoto signature in [5] and proved its security in [3]. E. Mohammed 
proposed a blind signature scheme based on ElGamal signature in [6], unfortu- 
nately, this scheme is insecure (the signer’s secret key can be derived). In [7], 
M.Abe presented a blind signature scheme that needs only three data moves 
and provides polynomial security. 

The GOST signature scheme is the Russia’s digital signature algorithm [8, 9]. 
In this paper, we propose a generalized blind GOST signature scheme and three 
practical blind GOST signature schemes educed from the proposed generalized 
scheme by setting one of three parameters be a constant. 
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1. GOST signature scheme 

Letp, q be large primes that satisfy q\p— 1, and g be an element in ^ with 
order Letff : {0,1}' -A Zq be a secure hash function. The signer’s public 
and secret key pair is {y,x), where x € Zg,y = y® mod p. Let m be the 
message to be signed. 

• Signing: The signer chooses random number k Z^, and computes 

r = (y* mod p) mod q 
s = xr + kH{m) mod q 

(r, a) is the signature on message m. 

• Verifying: The verifier computes 

V = mod q 

z\ = 8V mod q 
^2 = iq ~ r)o mod q 
u = {p*' V*’ mod p) mod q 
and checks whether o = r. 

2. Blind GOST signature schemes 

In this section, we first propose a generahzed blind GOST signature scheme, 
and then give three practical blind GOST signature schemes educed from the 
generalized scheme by setting one ofthree parameters be a constant. 

2.1 Generalized scheme 

2.1.1 The scheme. The cryptographic setting is as above. Following is 
the generalized blind GOST signature scheme. 

• Signing: 1. The signer chooses random number k Sjt Zg, and computes 

r = (g* mod p) mod q 
then sends r to the requester. 

2. The requester chooses random numbers ti , f 2 , ta Zg, and computes 

R = (r‘‘ mod p) mod q 
E = H{m) 

e = + fa)"* mod p (1) 

then sends e to the signer. 

3. The signer calculates 



s = xr + ke mod q 
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and then sends 3 to the requester. 

4. The requester checks whether 

g* - mod p 

If the requester accepts, computes 

S ~ E(se~^ti +t 2 ) modq (2) 

and publishes (/?, E, S) as the signature on message m. 

• Verifying: The verifier computes 

V = E'>~^ mod g 
z\ = Sv mod g 
Z 2 = iq ~ R)v mod q 
u = modp) mod g 
and checks whether u = 72 and E = H{m). 

2.1.2 The security. Here we discuss the security of the generalized 
scheme above. 



Completeness. The completeness can easily be proved as follows. 
From equations (1), (2), we obtain 

-72B“‘ * *3 - re"‘/i mod g 

SE~^ ~ ae“‘fi + 12 mod q 



and then have that 



gV 



_ gt«-'ti+tiyts-re~'ti 

= = flmodpmod? 



where s = xr + ke mod q. 



Unforgeability. Since the verifying equation of our scheme is the same as 
that of the GOST scheme, and the blind signature (R, E, S) can be see as a 
signature of the GOST scheme, then, if an adversary can forge a valid blind 
signature, he also can forge a valid GOST signature. On the other hand, if an 
adversary can forge a valid GOST signature, he also can obtain a valid blind 
signature. Thus, the unforgeability of our scheme is the same as that of the 
GOST scheme. 
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Blindness. A signature scheme is called blind if the signer’s view and the 
resulting signature are statistically independent, where the signer's view is the 
set of all values that can be gotten by the signer during the execution of the 
signature issuing protocol. 

Since there are three random parameters in the three blinding functions 
R = modp) mod q 

e = rti{RE~‘ + <3)“' mod q 
S = Eise^Hi + {2) mod q 

one can easily see that there always exists a tuple of random factors (4i ^21^3) 
that maps (r, e, s) to (/?,£■, 5) for any (r,e, s) and any (/?,£. S). So the 
scheme is blind. 



2.2 Educed schemes 

In fact, two random parameters are sufficient to provide blindness. So 
^3) c^n be one of (1, f2i ^3)1 <3) and (fi,<2i 0), thus we can obtain 

three schemes from the generalized scheme above as following. 



Case 1. ti = 1 

In this case, the blinding functions as follows 

R = {rg^^y‘^ modp) mod q 
e — r{RE~^ + fa)”' mod q 
S = E{se~^ + *2) mod q 



The completeness and the unforgeability are the same as the generalized scheme, 
and the blindness can be proved as follows. 

Fort = 0,1, let ri,ej, Si,Ai be data appearing in the view of the signer 
during the execution of the signature issuing protocol on message n\, and let 
flj, Ei, Si be the corresponding signatures. It is sufficient to show that there 
exists a tuple of random factors (<2,^3) that maps r,, e^, Jt, k{ to Rj,Ej,Sj for 
eachtjj £ {0,1}. To this end, we define 



and have that 



«2 = SjEj ' - ‘ mod q 

h = ne”' - RjEj' mod q 



_ gf=i-»ie~'+xue;'gSjE^ 



— Rj mod p mod q 
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where = XTi + ki6i mod q. 

Thus, r^, Ajand Rj, Ej,Sj have exactly the same relation defined by 
the signature issuing protocol, and the proposed scheme is blind. 

Case 2. tj = 0 

In this case, the blinding functions as follows 

H = modp) mod q 

e = rti{RE~^ + modq 
S = Ese~^ti modg 

The completeness and the unforgeability are also the same as the generalized 
scheme, the blindness is similar to the case 1. 

We define 

= SjE~^s~^ei mod 9 
«3 = SjE~^s~^ri - RjEj' mod q 

and have that 

^ gk,SjE-',-'e,ySjE~'s-'r,-R^E-' 

gSiE-',-'(eik,+xri)y-RiE-' 

= Rj mod p mod q 
where = xTi + kiCi mod q. 

Thus, ri,€i,Si,ki and Rj, Ej,Sj have exactly the same relation defined by 
the signature issuing protocol, and the proposed scheme is blind. 

Case 3. ta = 0 

In this case, the blinding functions as follows 

R — (r*‘ mod p) mod q 

e = rfi/?“*.Emodg 
5 = B{se~^ti -f- fa) mod q 

The completeness and the unforgeability are also the same as the generalized 
scheme, the blindness is similar to the case 1 and case 2. 

We define 

fi = RjE~^r~^ei mod q 
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t 2 = SjE^ ^ - RjB~W- *5j modg 






and have that 






= Rj mod p mod q 



where aj = Xfi + kfix mod q. 

Thus, Vi, ei, Si, ki and Rj, Ej, Sj have exactly the same relation defined by 
the signature issuing protocol, and the proposed scheme is blind. 



3. Conclusion 

In this paper, we propose a generalized blind GOST signature scheme and 
three practical blind GOST signature schemes. 
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Abstract The definition and properties of one-off blind public key are proposed. It jnsi 
need the trnsted entity issues the generative factor of blind public keys one time 
for the nser, and the user can generate his different public keys each time he uses 
it. So this scheme can ensure the disconnection among the user's actions, and 
the trusted entity can reveal the user's identity under the court’s grant to prevent 
the user committing, but anyone else doesn't have this ability. At the same time, 
this scheme can ensure the user can't forge one-off blind public key without the 
trusted entity. A new scheme of one-off blind public key is proposed. 

Keywords: blind signatures, group signatures, Fiat-Shamir identification scheme, one-off 

bhnd public key 

Introduction 

The concept of one-off blind public key and the first scheme of one-off 
public key protocol are proposed in [6]. It just need the trusted entity issues 
the generative factor of blind public key one time for the user, and the user 
can generate his different public keys each time he uses it. So this scheme can 
ensure the disconnection among the user’s actions, and the trusted entity can 
reveal the user’s identity under the court’s grant to prevent the user committing, 
but anyone else doesn’t have this ability. But the definition and properties of 
one-offblind public key haven’t presented. 

1. Definition and properties of one-off blind public key 

Definition 1.1. If based on the secret data x, the different public keys can be 
generated by using the public algorithm F. Those public keys can correspond 
with the same or the different private keys. Without knowing the secret data x, 
no one can calculate the .secret data x, theprivate key and other public keys with 
the public algorithm F and the known public keys. St> we name those public- 
keys as blind public keys, the secret data x as the generative factor of blind 
public keys, the public algorithm F as blind public key generative algorithm. 
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The trusted entity is used in one-off blind public key. One-off blind public 
key has essential properties as follows: 

(1) one-off ability: It just need the trusted entity issues the generative factor 
of blind public key one time for the user, and the user can use his different 
public keys only once. 

(2) public key changeability: Based on the generative factor ofblind pub- 
lic key, the user can generate different public keys. Those public keys can 
correspond with the same or the different private keys. 

(3) disconnection among the user's actions(includes anonymity):No one ex- 
cept the trusted entity can get any useful information about the user and his 
private key from the user’s public keys. The receiver can know the sender has 
the legal public key and private key, but can't discover the sender’s identity. If 
the public key the user used is different each time, the receiver can't get the 
connection from the user’s actions and the user’s blind public keys. 

(4) unforgeability: No one can forge one-off blind public key without the 
trusted entity. The one-off blind public key that the user generates must be 
generated from the generative factor of blind public key that was issued for the 
user. 

(5) unfraudulence: When the disputation occurs, the one-off blind public 
key can be send to the trusted entity, the trusted entity can discover the user’s 
identity, so it can prevent the user’s committing with one-off blind public key. 

2. Relative knowledge 

2.1 The theorem comes from [5] 

Let n = p - g, where p < g,p = 2p' + 1, q = 2q' + l,andp,q,p', q' are all 
prime numbers. Then, 

(1) The order of elements in is one of the number in the set{l, 2p', 

2?',p'9'-2pV}- 

(2) Given a elements w € ^\{ — 1, 1}, such that ord{w) < ff ■ o’ then either 
gcd{w - l,n) orgcd(u) -I- l,n) is a prime factor of n. 

2.2 The Fiat-Shamir identification scheme 

The Fiat-Shamir identification scheme is an efficient method enabling one 
party to authenticate its identity to another party. A modification of the Fiat- 
Shamir identification scheme is used in our scheme [1]: 

The trusted entityTpicks two prime numbersp,q, n = p-q, Tpicks randomly 
a invertible elements Xa mod n, and Xa has a large order. T calculates yA = 
*md fc is a prime, k < ord(xA), so A’s secret key is Xa, A’s public key is 
(yA^k). The following scheme can ensure A has x, 4 , and the public key [yA,k) 
he used satisfies = x* mod n. 
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(1) A picks a random r, r < n, sends r* mod n to B. 

(2) B picks a random bit 6, sends it to A. 

(3) A calculates c = r • mod n, sends c to B. 

(4) B verifies c* = r* • mod n. 

The possibility of this protocol’s fraudulence is 1/2. To ensure security, we 
need run this protocol t times repeatedly, the random r is differently each time, 
so the possibihty of fraud is 1/^. 

2.3 Group signature [2] 

Group signature allows one to sign on behalf of the group. Normally, the 
scheme of group signature is composed of group, the member of the group (the 
signer), the receiver (the message verifier) and the trusted entity. The properties 
of group signature are as follows: 

(1) Only the member of the group can sign, the signature is on behalf of the 
group. 

(2) The receiver can verify the validity of the signature, but can't discover 
the sender's identity. 

(3) When the disputation occurs, the trusted entity can discover the sender’s 
identity. 

3. One*off blind public key protocol 

3.1 The initialization of the trusted entity 

(1) The trusted entity T selects the prime numbers p,qr,j/, gi',p = 2p' + l,q = 
2q' + l.the length ofj/, q' is equal, n~pq, V){n) = (p - l)(q - 1). 

(2) The trusted entity T selects a random e, 5 cd(e,ip(n)) = 1. T calculates 

d,ed= 1 mod <p(n). n,e is the trusted entity’s public key, d is the trusted 
entity’s private key. T publicize len{f/q') is the length of jfq'. 

(3) LetG = {s|ord(p) =pV>S G K)' 

3.2 Issue generative factor of blind public key for user 

(1) User A uses his ID to register in the trasted entity T. T picks C/i 6 G as A’s 
generative factor ofblind public key, and ensures every member's generative 
factor of blind public key is different. T records A’s ID and ca to its database. 

(2) T signs on ca based on RSA, viz calculates Va — mod n, sends 

secretly(e^,Vyl) h) A. 

3.3 Calculation of blind public key 

(1) Aftergetting (e^i, Va) , A verifies Ts signature. 
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(2) A picks prime number fc, fc > 2, len{k) < len{f/q'), A calculates e/i,* = 
mod n. A picks two prime numbers PA,k, and <lA.k> 9^i^A,k> (PA.k ~ 1) ' 
(QA.k - 1) = 1, riA,k = PA.k ■ QA,k- A calculates da 1 

mod {pA,k - - 1. A calculates VA,k = «* = {64)* = ^aa ”- 

Now, d4,fc is A’s private key, are corresponding public key, 1^4,* is 

T’s blind signature on €4^^, then (n4,*,C4,fc, W4,fc, A) is A’s one-off blind public 
key. A records k, PA,k^QA.k to his database. When calculating his one-off blind 
public key next time, A ensures k, PA,k> QA,k i* distinctive. 

In this scheme, 04 is the generative factor ofblind public key, so 64 must be 
secret. 

3.4 Verification of the validity of one-off blind public key. 

(1) A picks a random r,r < n, calculates u = r* mod n, sends (114^*, 64^*, 
k, u) to B after encrypting with B’s public key. 

(2) B picks a random bit b, sends it to A. 

(3) A calculates c = r - mod n, sends c to B. 

(4) B makes sure that A has 64 and 64,* = mod n by verifying c*^ = 

mod n. The proof ofthis verification is = {r • e^i)* = r* • = 

u- mod n. 

(5) B verifies k is prime number, fc > 2, and len(fc) < len{]Jq'), it can 
ensure that the trusted entity can reveal the user’s identity under the court’s 
grant to prevent the user committing. 

(6) B makes sure that A has registered in the trusted entity, and the one- 
off blind public key that A generated bases on the generative factor ofblind 
public key that the trusted entity issues for A. The proof of this verification is 
^A.k = (4,*)® = ^A,k mod n. 

(l)-(4) is the modification of Fiat-Shamir identification scheme. In this step, 
the possibility of fraudulence is 1/2. To ensure security, it need run (l)-{4) t 
times repeatedly, and the random r is differently each time. Thus can reduce 
the possibility of fraud to 1/2^. 

3.5 Useing of one-off blind public key and tbe private key 

i^A,k^^A,k\(^A,k) RSA’s encryption scheme and signature 

scheme. (04, 64,*:) is public key, 1/4,* is private key. When (n4,*, 64,*, d4.*) 
is used for encrypting, it is the session key based on public cryptography, and 
it has the trusted entity’s warrant. 

(1) A generates his one-off blind public key, sends it to B. 

(2) B encrypts message with this one-off blind public key in this communi- 
cation action. 

(3) A decrypts message with the corresponding private key. 
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(4) In next communication action, A generates and uses the new one-off 
blind public key. 

4. Security analysis of one*off blind public key 

4.1 One-off ability 

It just need the trusted entity issues the generative factor of blind public key 
one time for A, and A can generate one-off blind public key use his generative 
factor of blind public key. Among his different communication actions, A can’t 
use the same one-off blind public key, otherwise his actions can be connected 
with the same one-off blind public key. 

4.2 Public key changeability 

Based on the generative factor of blind public key, the user can generate 
different public keys. Every public key has the distinctive private key. 

43 Disconnection among the user's actions 

In the whole process, B just know A has the generative factor of blind public 
key CjH issued by the trusted entity, but can't get any other information about A, 
and can’t get A’s fixed public key. If A doesn't use the same k, pA,k and qA,k 
every time, his eA,k,VA,ki^) is different, his public key is one-off blind 
public key, and his actions can’t be connected with his one-off blind public key. 

The trusted entity can't know A' s identity by view, because A’s one-off blind 
public key is encrypted with B’s public key in transmission. Only when the 
one-off blind public key is committed to the trusted entity under the court's 
grant, the trusted entity can calculate A’s generative factor ofblind public key 
€A with (n, 4 ,k, CA,k, VA,k, k). 

4.4 Unforgeability 

If A has the legal generative factor ofblind public key ca, but eA,k and k 
in {nA,ki^AJti^A,k>k) doesn't satisfy BA,k — niod n, A will be exposed 
when using the Fiat-Shamir identification scheme. 

C can't picks a number tf,*, calculates ec,k — ^ck n, picks a prime 
number k > 2 and ncr_k, declares (n< 7 ,k,ecr,fc, as his one-off blind public 

key. Because C doesn’t know (/3(n), he can't calculate t = mod ^{n), 
and can't calculate Cc = means C hasn’t registered in the 

trusted entity. A will be exposed when using the Fiat-Shamir identification 
scheme. 

C can’t forge (nc,k>dc,t iCC,k)"'ithout the trusted entity, and use it in encryp- 
tion and signature. Because C doesn't know y>{n), he can’t calculate d~ 




134 



PROGRESS ON CRYPTOGRAPHY 



mod and can’t calculate uc,* = means C can’t forge 

Vc,k- If ^ picks a random Vc,ki the verification t<cfc ~ ^C,k 

mod n. 

Any one including B can’t make use of the one-off blind public key (tVl.ifc) 
fc) that was made by A, then picks number r(r < n), calculates 
^Ayk' — ^^Ak fc mod n to forge one-off blind public key. 

Now, eA.k‘ = mod n, VA.k' = - (wa)’’ - 

1 '*’’ = V* mod n. Ifhoping pass the Fiat-Shamir identification scheme, it 
needs k' = kr mod (p(n),and needs A/ is a prime number, but no one knows 
tp{n) except the trusted entity, so no one can forge U. It means no one can 
get the legal one-off blind public key I’M calculating 

eA,k‘ = e^,* mod n, VA,fc' = v\,k 

4.5 Unfraudulence 

A can’t cheat with one-off blind public key. If A cheating, B commits 
{i^A AiC/l fcif'/l fciit) m the trusted entity under the court's grant. Now (p{n) = 
(j» - l)(q - 1) = (2p' -I- 1 - l)(2g' + 1 - 1) = 4pV. andp', q', k{k > 2) is 
prime number. The difficulty of it just being jj or g' is equal to the difficulty 
of factorizing n. Except the case A is or q\ gcd{k, V’(n)) = 1 comes into 
existence. So the trusted entity can calculate t = fc"* mod ip(n), then can 
reveal A’s identity by calculating ^ ~ ^A mod n. 

5. The properties of one-off blind public key protocol 
5.1 One transform blind signature 

For proofing A has the legal one-off blind public key, it needs the trusted 
entity's signature on the generative factor of blind public key, then A can gen- 
erate the blind signature on the part of one-off blind public key based on the 
generative factor ofblind public key, and B can verify it. In our scheme, this 
blind signature is different with the traditional blind signature [3, 4], only one 
transform is done, the message and the signature are transforming to another 
message and the corresponding signature at the same time, we call this blind 
signature as one transform blind signature. Its process is as follows: 

(1) B signs on message m, gets the signature a. B sends (m, s) to A. 

(2) A transforms message m to rrl. In the same time, A transforms the 
signature s to si. Now, A get the signature s' on m‘. 

In this process, the trusted entity doesn’t know the final message rd that 
will be signed, and the final signature will be verified too, so it is one kind of 
blind signature. In this kind of blind signature, there are one important different 
from the traditional blind signature: In the traditional blind signature, A knows 
the final message that will be signed in advance, but in one transform blind 
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signature, A doesn’t know the final message that will be signed in advance. In 
fact, in one-off blind public key, it signs on the part of the blind public key at 
the latest, the user's blind public key is generated temporarily when it will be 
used, and the one-off blind public key is different every time. 

5.2 The check on one-off blind public key 

(1) B must check A has registered the trusted entity, and the one-off blind 
public key that A generated bases on the generative factor ofblind public key that 
the trusted entity issues for A. It can be guaranteed through the blind signature 
on the part of the blind public key that is made by the trusted entity. 

(2) B must check A has used the blind public key generative algorithm he 
promised and the one-off blind public key he published. 

If A hasn't used the blind public key generative algorithm he promised and 
the one-off blind public key he published, and B doesn’t check it. It means if 
A commits with one-off blind public key, no one including the trusted entity 
can reveal A's identity. In general, the trusted entity won't interfere the com- 
munication between A and B, so B must check it, and B can’t get any useful 
information from it. 

5.3 The compose of one-off blind public key 

From above analysis, we can get the conclusion: one-off blind public key is 
composed of five parts: 

(1) the final public key used for signing or encrypting. 

(2) the blind signature on the part of one-off blind public key that is made 
by the trusted entity. 

(3) the bhnd factor for blind transform in one transform blind signature. 

(4) the identifier of the blind public key generative algorithm. 

(5) the identifier of the zero-knowledge proof for verifying the validity of 
one-off blind public key. 

In our scheme, the blind public key generative algorithm and the identifier of 
the zero-knowledge proof for verifying the validity of one-off blind public key 
are specified by the trusted entity, this point isn’t presented directly in one-off 
blind pubhc key. In fact, the trusted entity can specify more than one blind 
pubhc key generative algorithm, every blind public key generative algorithm 
can correspond with one zero-knowledge proofprotocol, and the user can select 
them when one-offblind public key is generated. 

5.4 The functions and the rights of the trusted entity 

In our scheme, the functions ofthe trusted entity are as follows: 

(1) Generate the generative factor ofblind public key for every user. 

(2) Reveal the user’s identity when he tries to cheat. 
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It is well known, the cooperation of B and the trusted entity can reveal one 
user's identity in one communication, but can't view other communications of 
this user, and it is more difficult to view one fixed user's communication. This 
point can ensure the user can’t cheat with one-off blind public key, and the 
user's communications have anonymity and disconnection. In our scheme, the 
trusted entity can forge one-offblind public key and its corresponding private 
key, but we don't think the trusted entity will do it, otherwise it isn't the trusted 
entity. 



5.5 Comparison with group signature 

(1) If treated the trusted entity as the group, only the member of the group 
can generate one-offblind public key. 

(2) The receiver can verify the validity of one-off blind public key, but can't 
discover the user’s identity. 

(3) When the disputation occurs, the trusted entity can discover the user’s 
identity with the one-off blind public key. 

However, the purpose of we generate one-offblind public key is to use one- 
offblind public key, and the using of one-off blind public key is to protect 
user's privacy. The using of one-off blind public key is on behalf of the user, 
it is independent of the group. For the receivers, they need the trusted entity 
can ensure the validity of one-off blind public key and can discover the user’s 
identity when the user tries to cheat. 

6. Conclusion 

The definition and properties of one-offblind public key are proposed. The 
analysis of one-off blind public key and its protocol is done. A new scheme 
is presented, it can generate one-offblind public key based on RSA. In this 
scheme, when the one-offblind public key is used for encrypting, the session 
key based on public key is generated. 
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Abstract In this paper two kinds of “Robust Threshold Key Escrow Schemes" are analysed 
systematically and many practical attacks on them, such as Subliminal Chaimel 
Attack£-Cheating Attack, etc., are provided. In the meantime, we show whether 
they gain their end of robustness is worth deliberating. In addition, we also 
discuss the necessity of some groupware of protocol and establish the basis of 
analysis on Key Escrow Scheme. 

Keywords: key escrow; threshold scheme£»robustness; improved RSA cryptosystem; ElGa- 

mal cryptosystem 

1. Introduction 

There exist such controversies in the field of information security: How to 
solve the contradiction between the government's monitoring individual com- 
munication(for example it is involved in the security of the country) and protect- 
ing privacy. One possible solution is: In communication net, the private keys of 
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users is holden by several escrow agencies; if necessary, for example, gaining 
the warrant of the court, the monitor can trace one’s communication using the 
shares from escrow agencies. The way has led to a new cryptographic subfields: 
Key Escrow. Furthermore, NIST(National Institute for Standards and Technol- 
ogy) published EES(Escrowed Encryption Standard) based on hardware chips 
[1] in 1994. 

The current research on Key Escrow mainly focuses on: How to present new 
secure key escrow schemes not depending on hardware chips, i.e. realizing 
software key escrow using the public algorithms and protocols. 

Since 1990s, the research has made great progress. However, there is still 
much longer road to perfect key escrow schemes. 

In 1995, Desmedt proposed a communication scheme based on public key 
cryptosystem (EIGamal)[2], which permits the monitor tracing reciver accord- 
ing to LEAF(Law Enforcement Access Field). But Lars R showed soon that 
Demedt scheme is not secure because it can not prevent several synergic re- 
ceivers from cheating[3]. 

In 1995, Shamir put forward the idea of partial key escrow[4] in order to 
alleviate the loss caused by possible dishonest monitor. In addition, Nechvatal 
introduced the concept of threshold key escrow[5]. 

In 1998, Mike Burmster solved the problem of “monitoring once, monitoring 
forever” which exists in many schemes. The main approach is adding time into 
secret key of user[6]. 

We will analyse the results of [7, 8, 9] in this paper. In these papers Cao 
brings forward two kinds of Robust Threshold Key Escrow Schemes(KTKES). 
where “robustness” refers to the property that even if several malicious escrow 
agencies work together, it is impossible to recover the secret key escrowed. 

We show in our paper that the two schemes mentioned above are not secure 
and whether they gain their end ofrobustness is worth deliberating. In fact we 
are doubtful of the existence of such schemes. In addition, we also discuss the 
necessity of some groupwares of protocol and establish the basis of analysis on 
Key Escrow Scheme. For simplicity we denote “Key Escrow System/Scheme” 
by KES. 

2. Review of two classes of robust threshold Key Escrow 
Schemes (RTKES) 

2.1 RTKESl based on factorizing 

The agencies in RTKESl. 

1) KMC(Key Management Center): with responsibility for generating , dis- 
tributing and managing almost all secret keys. 

2) The set of escrow agencies T: holding parts of secret key of public key 
cryptosystem Ei{sk, e) and helping monitor gain its end. 
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3)Monitor W: with responsibility for monitoring the communication of users. 

The encryption algorithms in RTKESl. 

l}Ei{M,8k): A standard block encryption algorithm with session key ak 
for secure communication of users. 

2) E 2 {sk,e): So called “improved RSA" used to encrypt session key, which 
is the main part ofLEAF. 

3) S(HIM)): User’s signature, where H() is some hash function. 

Description of KES. Assume the private key of£ 2 () is 

d = d-['d 2 mod^(JV)/2, 
where <f> is Euler function. 

First, KMC divides d 2 into n subkeys using the secret sharing scheme of 
Shamir. Each Ti{% = 1, 2, ...,n) receives respective share from KMC and can 
verifies it. Then df ' is transmitted to the user U through private channel. 

In every communication, sender U and receiver V firstly set up a session 
key ak using some fixed protocol. Then U transmits the ciphertext with LEAF 
C = {E\{M,ak),LEAF) to V, where LEAF = S(Hm). 

C{U)), where £u6dl = dj"* , C(U) is the certificate of U. When receiving c, V 
can recover message M and verifies the signature. If needing monitor, W firstly 
obtains the information of subkey olj from T and can recover the session key 
ak according to LEAF. It should be noted that W can not obtain the private 
key d. Details can be seen in [7, 8, 9]. 

2.2 RTKES2 based on DLP(Discrete Logarithm 
Problems) 

The most agencies in RTKES2 is the same as RTKESl, except that: 

1) dj"* is also controlled by monitor W; 

2) ElGamal cryptosystem[2] replaces the “Improved RSA”. 

In addition, RTKES2 also includes a new sub protocol called” monitor au- 
thentication protocol” by us, which satisfies the need that W verifies the shares 
from T. 

2.3 Analysis of [7, 8, 9] 

[7, 8, 9] argues that there exist robust threshold key escrow schemes, i.e. 

1) The schemes RTKESl and RTKES2 solve the problem “monitoring once, 
monitoring forever”; 

2) The two schemes have the property of robustness and ate secure against 
the coalescent of several malicious escrow agencies. 

3) Escrow agencies can verify the shares from the KMC. 

4) monitor authentication protocol can identify malicious escrow agencies. 

5) The two schemes are secure against LEAF feed back attack. 
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3. Our viewpoints 

We think that RTKESl and RTKES2 are not secure. 

1) KES depend on KMC without measure. In some sense, ifW realizes 
monitor using KMC, the protocols are trivial. 

2) “Improved RSA” leaks the Isb of message encrypted. 

3) For RTKESl, ite robustness does not consider of the factors ofmalicious 
users. And for RTKES2, in fact its robustness is realized by changing W into 
a special escrow agency with monitor function. 

4) The sub protocol that T verify the shares is not necessary under the as- 
sumption of [7, 8, 9]. 

5) The two schemes are not secure against the subliminal channel attack. 

6) For RTKES2, if existing malicious users or active (malicious) escrow 
agencies, monitor authentication protocol is not secure. 

4. Analysis basis on KES 

Many analysis methods on KES have been proposed at present. Here, we 
try to give a normative analysis basis on KES. 



Definition 4.1. (KES) KES is a tuples of five elements as follows: (U.T.W.LMC, 
V), Where both the number of elements of W and KMC may he 1, V is trusted 
party. The elements above are linked by cryptographic protocols and satisfy 
the conditions as follows: 

1) U.sers carry out communication using LEAF added way; 

2) IF all parties obey the rules, W can monitor the communication of users. 

The security can be ascribe to the security of sub protocols, such as session 
key distribution, secure transmission, key escrow, and so on. For the sake of 
analysis conditions, we introduce the concept of credible degree function. 



Definition 4.2. (credible degree function TR) TR is .such a function mapped 
from all parties of KES to [0,1], where the function value I represents believable 
completely and 0 on the contrary. 



Obviously the values of function TR denote the believable degree of the 
parties in KES and TR is not computable. But we think that any trusted third 
party may assess the value of it. 

Axiom 1. TR{U) < TR{T) < TR{W) < TR{KMC) 

Obviously the axiom is reasonable. In fact, r/?(ATMC) is almost 1 in the two 
RTKES. So, the security of KES is the security degree under some distribution 
of TR. The analysis as follows all is based on the axiom. 
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5. Analysis on RTKESl 

5.1 Analysis on Improved RSA 

Firstly the Improved RSA is introduced. 

N = pqis Blum integer and assume: gcd(b, N) = 1, Jacobi symbol (^) = 
-l,gcd{e,<p(N)/2) = 1, ed = (^(N)/4 + lj/2 mod{<l>{N)/2]. Parameters 
b,e,N is public and dis secret. 

When encrypting message X. = 1, E(x) = otherwise B{x) = 

The ciphertext is c = (B{x), C \ , C 2 ) , where, if X is even, set c\ = 0, 
else Cl = 1; if {^) = 1, C 2 = 0, otherwise 02 = 1, Decrypting is obvious. 

Our main result of analysis is as follows and the proof is omitted. 

Theorem 5.1. For Improved RSA. we have: 

I )For any message X\, X 2 , the the probability of equation B(xiX 2 ) “ ' 

E{x 2 ) holds true is 0.75 at least. 

2) Pcirity[y) — Ci, i.e. the least .significant hit of message is leaked. 

5.2 Analysis on escrow protocol 

This is a sub protocol on distribution of shares generated by KMC. As pro- 
tocol finished, each escrow agency obtains the legal shares of secret key of user 
and each share can be verified. 

We note that this is a non-interactive protocol and the information is trans- 
mitted through private secure channel([7, 8, 9]). So it is not easy to see that the 
only possible attack on the protocol is the cheating attack of KMC (It should 
be noted that the security goal of the protocol is escrow agencies can obtain 
their shares correctly.) However, by axiom 1, we have known that it is impossi- 
ble to imagine that KMC is dishonest. Therefore, we can give the conclusion: 
authentication groupware of the protocol is not necessary. In trivial sense, the 
security of the protocol can be proved. 

5.3 Subliminal channel attack on communication protocol 

According to introduction of RTKESl, it can be seen that: 

1) Receiver V does not need LEAF indeed when decrypting because the 
session key sk is only set up by U and V. 

2) The part ofprivate key ofU, ^u6dl = dj”^, is not escrowed, i.e. .subdl is 
still controlled by U. 

So, U and V can attack on it in the way as follows. 

U may sends his message to receiver V in the way: 
d = (Ei(M,sk),LEAF), LEAF = {E^'^‘‘^(8k',e),S{H{M')),C(U)) 
Where afc' = h{sk){h( ) is some public secure one-way function, such as 
hash function), M' = Ei{Bi{M,8k),sk') and assume the encrypting algo- 
rithm and decrypting one are same. 
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U can also send his message in such way: d' = LEAF), 

LEAF = (Ei^^'(8k,e),S{H{M")),C(U)) where aubdV = ■ 

ft(rfi) may be public and M" = Ei{Ei(M, 3k),sk^^‘*'^). 

We can see easily that in case of monitoring, W can only obtain false session 
key sk' = h(sk) or ^ from the escrow agencies and even if W verifies 
the signature in LEAF, it can not detect the existence of subliminal channel. In 
fact, the true session key of U and V is sk, but under the assumption of one-way 
function or factorization problem, W can not derive sk from sH. 

Theorem 5.2. RTKESl can not resist the subliminal channel attack launched 
by malicious users. 

Considering of least value of TR(U). the conditions needed by such attack 
is very weak. 

5.4 Analysis of monitor protocol 

Theorem 5.3. In case of cahoot of malicious users and k escrow agencies, 
integer N can be factorized. 

The proof is easy and be omitted. In fact, considering of least value of 
TR{U), it is not suitable to take U as one escrow agency in order to solve the 
problem of depending on escrow agencies without measure. 

6. Analysis on RTKES2 

As we know, RTKES2 is similar to RTKES2 except that encrypting algorithm 
adopts EIGamal. Therefore the analysis conclusions above also hold true. 
However, there exist another subliminal channel attack for both RTKESl and 
RTKES2 and monitor protocol of the latter is not secure too. 

6.1 Subliminal channel attack based on signature schemes 

Here, we want to show the point that it is dangerous to prevent subliminal 
channel attack only by signature schemes. 

According to [14, 15], there exists subliminal channel in EIGamal signature 
schemes. 

Here we construct one kind of subliminal chaimel using the signature scheme 
based on improved RSA: Sender U leaks his private key for signing to receiver V 
on purpose previously, where the private key for signing d = skA-Tnmod<()(N). 
And They use h{sk) as their session key where /l( ) is a secure hash function. 
Then U sends his message in the way as follows: 

c = {Ei{M, h{3k}), LEAF). LEAF = (Ef {h{8k), e), S(//(Af)) 

As a result, in case of monitor, W can only obtain the h{sk) form the escrow 
agencies, i.e. recover some disguised message M. Because of one-wayness of 
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h{ ), W can not derive sk from h(sk). On the other hand, V can easily recover 
the intended message mby computing m = (</ — sk) mod should 

be noticed that sk is set up only by U and V in both RTKES 1 and RTKES2. 

6.2 Cheating attack on monitor protocol 

Firstly we give a concise description of monitor protocol ofRTKES2. The 
sub protocol is devised to make W verify the shares from escrow agencies, i.e. 
W should have the ability of identifying malicious escrow agencies. 

Parameters. KMC publicizes the public key of U y = ^, where private key 
d = dj’^d2» sent to W through private channel previously , cfe is divided 
inton shares 6i, ••■,&»» by secret sharing scheme and these shares are given to 
escrow agencies. In case of monitoring, escrow agency 2J(t = 1, 2, ...,n)only 
refers Q, = v!’' = y*‘*'to W, where is the first part of ciphertext of sk (Note 
that we adopts EIGamal public key algorithm to encrypt session key). 

Protocol. For i = 1, 2, ..., n, the steps as follows. 1) 7J sends Qi = to 
W; 2) W chooses Oj and 0i in Fq randomly and computes yf' . Then 

sends it to Tt, 3) T< computes Ri = and sends it to W; 4) W verifies if the 
equation Ri = holds true. If yes, W accepts the shares, otherwise, W 

alleges is dishonest. 

Analysis. It should be noted that the verification equation is involved in 
u = g^. We think it is not suitable because u = p* is generated by user U whose 
value of TR{U) is smallest. So two cheating protocols can be constructed as 
follows. 

Casel. Some malicious sender U replaces u = used in LEAF with any 

p* and I is given to Ti. In case of monitoring, some malicious can do so in 

the step 1) of the protocol: IJ computes Oj = bjl and sends Qi = p“’ (instead 

of p*'®*) to W. On the other hand, in step 3) answers the challenge of W with 
I 

Ri = . The readers can verify easily that by doing so, can cheat W with 

= p*®' , Note that the true share is Qi = p*'®* . 

Casel. The malicious escrow agency IJ is active and replaces ti = p*' in 
LEAF with p* chosen by itself. Note that this whould not affect the normal 
communication of users. 

The reason for the success of cheating attack is that the communication 
channel of users is not secure, i.e. there are not private channel like KMC. In 
addition, the attack conditions are feasible according to axiom 1 . 

6.3 Analysis on Robustness 

We can see that in fact RTKES2 realizes the robustness by regarding W as 
an agency with functions of escrow and monitor. Obviously this strengthens 
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the rights ofW greatly. Considering the case of dishonest W[4J, the method 
may be not worth the candle. 

7. Tag 

Considering separately, we think that in some sense [7,8,9] solve the problem 
“Monitoring once, Monitoring forever”. However, There exist some deficien- 
cies: Session key sk is chosen completely by users and master keys is escrowed 
in common ways. Therefore the method does not solve the problem above in 
the complete sense. We argue that the problem can be solved using key escrow 
scheme with Limited time span [6]. 
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Abstract Equation solving is a important scientific computations that ' s generally employed. 

Soludons to this problem are widely used in many areas such as banking, man- 
ufacturing, electric engineering and telecommunicadons. However, the existing 
solutions do not extend to the privacy-preserving cooperative computation situ- 
ation, in which the equations are shared by multiple parties, who do not want to 
disclose their data to other parties. 

In this paper, we formally define these specific privacy-preserving cooperative 
computation problems, and present protocols to solve them. Besides, a new 
mnlti-party protocol to handle computation over reals is presented. 

Keywords: secure multi-party computation, equation solving 

1. Introduction 

The rapid development of distributed systems raised the natural question 
of what tasks can be securely performed. With the application of multi-party 
computation, cooperative computation could occur between mutually untrusted 
parties, or even between competitors. 

In this paper, we introduce the privacy-preserving cooperative equation solv- 
ingCPPCES) problem. The general definition of the PPCES problem is that two 
or more parties want to solve an equation based on their private inputs, but 
neither party is willing to disclose its own input to anybody else(including a 
so-<alled trusted third party). 
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Generally speaking, a secure multi-party computation problem deals with 
computing a function on any input, in a distributed network where each partic- 
ipant holds one of the inputs, ensuring that no more information is revealed to 
a participant in the computation than can be computed from that participant’s 
input and output. The history of the multi-party computation problem is ex- 
tensive since it was introduced by Yao [2]and extended by Goldreich, Micali, 
and Wigderson[8], and by many others. 

In theory, the general secure multi-party computation problem is solvable 
using circuit evaluation protocol[2, 8, 7], In the circuit evaluation protocol, each 
functionality F is represented as a Boolean circuit, and then the parties run a 
protocol for every gate in the circuit. While this approach is appealing in its 
generality, the communication complexity of the protocol it generates depends 
on the size of the circuit that expresses the functionality F to be computed, 
and in addition, involves large constant factors in their complexity. Therefore, 
as Goldreich points out in [7], using the solutions derived by these general 
results for special cases of multi-party computation can be impractical; special 
solutions should be developed for special cases for efficiency reasons[10, 4]. 
This is our motivation ofseeking special solutions to equation solving problems, 
solutions that are more efficient than the general theoretical solutions. 

There are several ways to share an equation. Depending on how such an 
equation is shared by Alice and Bob, or in another word how Alice and Bob 
cooperate with each other, the problems could appear in a variety of forms. 
Table 1 describes two different types of cooperation. 



Tabk I. Wrious ways of cooperation 





Case 1 


Case2 


Alice’s share 


~f{x) 


/(r) 


Bob's share 


fl(*) 


ff(i) 


target equation 


h(f(x).g(x)) = 0 


/(s(*)) = 0 



2. Approximately Multi-party Computation over Reals 

All we known existed methods deal with computation in a finite field[3, 2, 
1, 7, 9]. We now present a multi-party protocol over reals based on verifiable 
secret sharing schemelS], Every function over reals of n inputs can be efficiently 
computed by a complete network of M participates. And if no faults occur, 
no set of size t < n/2 of players gets any additional information. Even if 
Byzantine faults are allowed, no set of size f < n/3 can either disrupt the 
computation or get additional information. As Gennaro points out in [6], multi- 
party computation can be efficiently performed in GF(p). Then a natural idea 
is to find a way to code real number into a element ofGF{p) and decode field 
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element to real number, then we can perform approximate computing over reals. 
For example, we can employ following conversion rule between field element 
F and real number R: 



1 Select an adequate prime p which is large enough to serve following 
computations. Public parameter p should satisfy the condition that p/2 
is greater than any of the inputs, temporary results and final results. 

2 According to required accuracy, Alice and Bob select another public 
parameter k as the conversion rate between real number and field element. 
For example, if error should be controlled in the range of ±0.5 x 10”®, 
k should be 10®. 



3 Using following function to encode real number; 

P — P( D\ — j ^ ^ 1 ' 

where [ ] means the nearest integer function. 

4 Using following function to decode: 



R = 




F/k,{F<pf2) 

-(p~F)/k,(F>pl2) 



( 1 ) 



( 2 ) 



After conversion, three operations-addition, subtraction and multiplication- 
can be securely conducted in finite field[5]. When multiplication is mixed with 
other operations, then conversion rate should be adjusted. For example, if we 
want to securely compute a + 5 X c, we compute o X /^ + (6 X /:)(c x fc) over 
finite field. 

What we should think about carefully is division operation. Division over 
reals is completely different than over finite field. Assume a and b are shared 
by Alice and Bob, then o/6can be computed as following: 

1 Alice selects random number xi and shares it with Bob. Bob selects 
random number and shares it with Alice. 

2 Alice and Bob now jointly compute and publish m = 5 • • Xj- 

3 Since m is published, Alice and Bob can compute and share ^ . 

4 Alice and Bob now jointly compute f = a • • Xi • X 2 . which is the final 

result. 

There is a problem in above protocol. Since m = 6 • X| • X 2 is published, then 
b must be a factor of n». Therefore Alice and Bob get some information about 
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b. It's a violation to security requirements of secure multi-party computation. 
We provide a modified version to deal with this problem. 

1 Alice selects two random number xi, £j and shares it with Bob. And Bob 
selects two random number X 2 > *2 and shares it with Alice, f i and £2 are 
real numbers in the range of ±fc“ 

2 Alice and Bob now jointly compute and publish m = 6-Xj •X 2 + <l + € 2 ' 

3 Since m is published, Alice and Bob can compute and share i. 

4 Alice and Bob now jointly computer = a • • Xi ■ l 2 . which is the final 

result. 

In above protocol, £i and €2 are small enough to keep the accuracy of calculation. 
The new protocol is secure and can be easily modified to serve any number of 
participates. Here is some sample text. 



3. Secure Multi-Party Equation Solving Problems and 
Protocols 

Newton-Raphson Method is a root-finding algorithm which uses the first few 
terms of the Taylor series ofafunction/(x)in the vicinity of a suspected root to 
zero in on the root. For f(x) a polynomial, Newton’s method is essentially the 
same as Homer's method. The Taylor series of f[x) about the pointz = + e 

is given by 

/(sQ + e) = /(aio) + /'(a:o)£ + + ■ ■ ■ (3) 

Keeping terms only to first order, 

/(xo + e) /(^o) + !'{xa)e (4) 



This expression can be used to estimate the amount of offset cneeded to land 
closer to the root starting from an initial guess aj). Setting /(iq + c) = 0 and 
solving (4) for c = eo gives 



€0 = - 



/(ap) 

f'M 



(5) 



which is the first-order adjustment to the roc4's position. By letting = 
Xp + epi calculating a new Cj, and so on, the process can be repeated until it 
converges to a root using 

" n^n))' 

When the method converges, it does so quadratically. 



( 6 ) 
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In a multi-party environment, after selecting adequate we can solve equa- 

tion using Newton-Raphson method if we can compute out /(j) and f{x) on 
arbitrary x. In both the two cases listed in Table 1, we can easily compute the 
function results and their derivatives. 

In the first case, Alice has /(®), Bobhasp(x),andthey want to solve equation 
h{/{x),g{x)) = 0, where h is a function of two inputs and uses only addition, 
subtraction, division, and multiplication operations. And H{f{x),g{x)) can 
be securely computed as following: 

dh(f,g) _dh df dh dg 

dx df dx dg dx 

where Alice can privately computes ^ ^ and Bob can privately computes 
^ Newton-Raphson method to solve the equation 

M/(®).9(®)) =0. 

In the second case, Alice has f{x), Bob has 5 ( 1 ), and they want to solve 
equation f{g(x)) = 0 where f(x) is a polynomial function. Let r(x) = 
f(g(x)). Since welimit /(a?) to be apolynomialfunction, r(i) and r^(x) can 
be securely computed out. And r'(x) can be computed as following: 

r'(x) = f'(g(x)) ■ g'(x) (8) 

After initial value of x is selected, participants can perform multi-party 
computation continuously until the approximate result is found. The whole 
computation process can be divided several iterations. And each iteration is 
composed of two phases: a checking phase and a computing phase. In checking 
phase, all participates check together if f(xi) resides in (—l/k,l/k). If the 
answer is true, then x< is the approximate root of equation. Else, the computing 
phase is performed. In this phase, aU participates compute together to getaj+j. 

For some equations, Newton-Raphson method can't converge into right an- 
swer. We can employ other methods such as bisection method to deal with 
such situation. In fact, we found bisection method can deal with much more 
kinds of one-dimensional equations than Newton-Raphson method in multi- 
party computation scenario. But bisection method has shortcomings too. It’s 
weU-known that bisection method can't be used to resolve multi-dimensional 
problem, and it’s much slower than Newton-Raphson method. So we still 
choose Newton-Raphson method as the default one. 

4. Summary and Future Work 

In this paper, we provide a new multi-party computation protocol over reals. 
Through encoding real number into member ofa finite field, addition, subtrac- 
tion and multiplication can be done in a very simple way. And we can easily 
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know that the addition, subtraction, and multiplication protocols are as secure 
as Gennaro’s protocol[6]. The division is done in a much complexer way. 

We also studied the problem of equation solving in a cooperative environment 
where neither of the cooperating parties wants to disclose its private data to the 
other party. Our preliminary work has shown that this problem, the secure 
multi-party equation solving problem, could be solved in a way more efficient 
than the general circuit evaluation approach. 

Apart from those basic equations studied in this paper, many other types of 
equations are also used in practice. A future direction would be to study more 
complicated equation solving problems. 

References 

[1] Abe, M. (1999). Mix-networks on permutation networks, ht ASIACRYPT99, pages 258- 
273. 

[2] A.C.Yao (1982). Protocols for secure computatious. In In Proc. 23rd IEEE Symp. On the 
Foundation of Computer Science, pages 160-164. IEEE. 

[3] Cramer. R., Damgard, I., and Maurer, U. (2000). General secure multi-party computatiou 
from any linear secret-sharing scheme. Lecture Notes in Computer Science. 1807:316-?? 

14] Du, W. and Atallah, M. J. (2001). Privacy-preserving statistical analysis. In Proceedings of 
the 1 7lh Annual Computer Security Applications Cotference, pages 102-110, New Orleans, 
Louisiana. USA. 

[5] Feldman. P. (1987). A practical scheme for non-interactive verifiable secret sharing. In 
28th FOCS. pages 427-437. 

[6] Gennaro, R., Rabin, M., and Rabin, T. (1998). Simplified VSS and fast-track multiparty 
computations with applications to threshold Cryptography. In Proceedings of the 1998 
ACM Symposium on Principles of Distributed Computing, pages 101-111. 

[7] Goldreich, O. (2000). Secure multi-party computation. Working Draft. 

[8] Goldreich, O.. Micali, S., and Wigderson, A. (1987). How to play any mental game. In In 
Proceedings of the I9th Annual ACM Symposium on Theory of Computing, pages 218-229. 

[9] Matthew, Franklin, and Haberl, S. (1996). Joint encryption and message-efficient secure 
computation. Journal of Cryptology, 9(4):217-232. 

[10] W.Du and Atallah, M. J. (2001). Privacy-preserving cooperative scientific computations. 
In I4th IEEE Computer Security Foundations Workshop, pages 273-282, Nova Scotia, 
Canada. 




AN AUTHENTICATED KEY AGREEMENT 
PROTOCOL RESISTANT TO DOS ATTACK 



Lu Haining 

Dept, of Computer Science and Engineering 
Shanghai Jiao Tong University 
longsky@263.net 



Gu Dawu 

Dept, of Computer Science and Engineering 
Shanghai Jiao Tong University 
gu-dw@cs.sjtu.edu.cn 

Abstract The Authenticated Key Agreement with Key Confirmation protocol poposed by 
Blake-Wilsonet al iinpoves the original Diffie-Hellmankey agreement protocol 
and defeats the man-in-the-middle attack. But it is vulnerable to a Denial-of- 
Service (E>oS) attack, because the responder must perform heavy modular expo- 
nential operations before he becomes sure about the identity of the initiator. A 
modification which forces the initiator to perform modular exponentiation first 
is presented in this paper. According to the analysis, it can defeat the DoS attack 
successfully, and provide mutual key authentication and key confirmation as well. 

Keywords: authendcated key agreement protocol, denial-of-servicc attack. 

L Introduction 

The first and best known key agreement protocol is Diffie-Hellman Key 
Exchange[l], from which many of the commonly used key agreement protocols 
are put forward. But the original Diffie-Hellman protocol remains following 
two critical problems: 

1 Both sides of the communicating parties can not get an assurance that no 
other parties can possibly compute the keying information agreed. 

2 Each side of the communicating parties can not assure that the party he 
is communicating with has actually computed the agreed key. 
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So, this protocol is vulnerable to man-in-the-middle attack. In 1997, Blake- 
Wilson et al modified the original Diffie- Heilman protocol, and proposed an au- 
thenticated key agreement protocol with key confirmation [2] (in short, AKAKC 
protocol), which solved the problems mentioned above. But it is still vulnerable 
to DoS attack because the responder should perform heavy modular exponential 
operations before identifying the initiator. 

The remainder of the paper is organized as follows. First describes the 
AKAKC protocol, and presents the basic principle of DoS attack. Then pro- 
poses an improved protocol which can defeat DoS attack and provides mutual 
key authentication and confirmation as well. Finally gives the feasibility and 
security analysis of the improved protocol. 

2. AKAKC Protocol 

Figure 1. shows the details of the AKAKC protocol. The notations are 
described as follows: A and B are trusted two parties who communicate with 
each other, p is a large prime, ^ is a large prime divisor ofp — l.jis an element 
of order qinZl. o and 6 are static private keys of A andB, Ya and Yg are static 
public keys ofA and B. H[ and H 2 ^ two independent hash functions. MAC 
is a message authentication code algorithm. 

A. a, X £ ^ B. i.y 

MACA<3,A,B,g*,g») ^ 

Figure I. AKAKC Protocol 



1 A selects X €ft [1,9 — Ij and sends = g® andCertA toB. 

2 After receiving requesting message, 

(a) B verifies that 1 < Ra < p and = 1 (modp). If any check 
fails, then B terminates the protocol run with faUure. 

(b) BselectspSfl [1,9-1], and computes A:' = jj 

(RA)^),k = HiiiYAt II {iJAnandme = 

Rb,Ra)- 

(c) B sends i?B, Certg, and irifl to A. 



3 After receiving responding message, 
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(a) A verifies that 1 < iJe <pand (iio)® = 1 (modp). If any check 
fails, then A terminates the protocol run with failure. 

(b) A computes kf = H\{{yB)^ || (iJfl)®) and m'g = MACk'(2,B, 
A, Rb> Ra)< and verifies m'g = mj. 

(c) A computes mA = MACk'(3, k = H2({YbY II 

(i?c)*), and sends Ra and to B. 

4 B computes = MACk‘{3,A,B, RAtRs) and verifies that = 
iriA- 

5 The session key is k. 

This protocol provides mutual key authentication and key confirmation. 

3. DoS attack 

To generate a valid requesting message, the initiator only need to choose 
a number between 1 and p which to the power of ^ is 1 modulo p. But when 
receiving a valid requesting message, the responder must perform three modular 
exponential operations: which cost a lot. If an attacker sends a 

large amount ofvalid requesting messages to some party, the target will get its 
computational resources exhausted soon and can not respond the request from 
other users. Now the attacker wins. 

4. An improved protocol which can defeat DoS attack 

4.1 Basic idea of the improved protocol [3] 

The reason why DoS attack works is that it is much more easier to generate 
the requesting message than the responding one. So we have the following 
idea. After receiving a valid requesting message, the responder do not perform 
any heavy computation such as modular exponentiations. Instead, he generates 
a random fresh material from some secret information and his private key, and 
pass it to the initiator. Reconstruction ofthe secret information from this mate- 
rial requires heavy computation. The responder will continue the protocol and 
perform modular exponentiation only after assuring that the initiator has already 
reconstructed the secret. Thus, the attacker will fall in heavy computation with 
the responder together and fail the attack. 

4.2 Description ofthe improved protocol 

Figure 2. shows the details of the improved protocol. The notations are 
described as follows: A and B are trusted two parties who communicate with 
each other.pis alargeprime, ^is a large prime divisor ofp — l,p is an element 
oforder ^ inZp. O and 6 are static private keys of A andB, Ya and Yb are static 
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public keys of A andB. H\ and H 2 are two independent hash functions. MAC 
is a message authentication code algorithm. 



A.a.x 








(i) 


**-*■ 

UAC^(2.B.Ag'.r) 






b • «j}mod9 


fc* - e’-'^ ■ ^ 


(2) 




HA-W.t.f) 

ki-e* 














Ha, *A 






(3) 





Figure 2. The Improved Protocol 



1 During the precomputation stage, B selects t, y pairs from [1, q - 
continuously and computes ^ and 

2 A selects x [1, q - 1], and sends = g® and Cert a to B. 

3 After receiving message(l): 

(a) B verifies that 1 < Ra < p and s 1 {modp). If any check 

fails, then B terminates the protocol run with failure. 

(b) B selects a (g*, g**) pair generated during the precomputation stage, 
lets ka = gK and computes es = MACkg{2,B,A,g*',g^) and 
wj} — 1 1 iv + ■ eg) mod q. 

(c) B sends Rg = g*', eg, wg and Certg to A. 

4 After receiving message(2), 

(a) A verifies that 1 < iJfj < p and {Rg)^ = 1 (modp). If any check 
fails, then A terminates the protocol run with failure. 

(b) A computes = g*' *"® = MACk'^ (2, B, A, g*', 

g®), and verifies that = eg. 




An Authenticaied Key Agreement Protocol Resistant to DoS attack 



155 



(c) A selects 8 €/j [l,q — 1], and computes /i/j = = 

g‘,tA = {3, A, B, 5 *. (;*')andu?^ = a/ (ar+o-e^jmcdg. 

(d) A sends Ha, ^a to B. 

5 After receiving message(3), 

(a) B computes = Hi{kB,g^ ,g^), and verifies that h'^ = Ha- 

(b) B computes and e'^ = MAC^'^ (3, A, B, p®, 

p*'), and verifies = ca- 

6 The session key isfc = /TzC?*** II S**')- 

4.3 The analysis of the improved protocol 

1 Against DoS attack 

First we suppose that we can limit the requesting messages from the 
attacker by Network Ingress FUter[4] to the extent that the (^, p*') pairs 
generated during the precomputation stage won’t be exhausted. We also 
suppose that the amount of the attacker's computational resources are 
similar to those of the responder's. 

After receiving a request, the responder only need to perform a MAC 
computation and some simple modular arithmetics. After receiving mes- 
sage(3), the responder first computes a hash value and verifies that 
= Ha. If the verification succeeds, it means that the initiator has 
already computed fcg by performing modular exponentiation. Only after 
successful verification, will the responder continue the protocol and per- 
form modular exponentiation to further verify the message and compute 
session key. So, if a malicious attacker wants the responder to perform 
last modular exponentiation, he must perform heavy computation first 
when receiving message(2). And he will fall in heavy computation with 
the responder together, and fail the attack. 

2 Provide mutual key authentication 

If someone wants to compute the session key k = || ff***), he 

must also acquire o or 6 and x or y besides g^, 5 “ and g^ which 
can be acquired from the communication messages. Any party except A 
and B can only compute from Ca, sb, ^Af and k,A . C/i and ea are 
authentication code, Ha is hash value, so they won’t reveal the original 
information. In the expression ofty^ and tyg, there are three unknowns 
(t, y, 6 ) and ( 8 , X, a) respectively. If g is very large, there will be a lot 
of suitable solutions. So, when the protocol finishes, A and B both can 
assure that no other party can compute the session key k. 
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3 Provide mutual key confirmation 

In the fourth step, A can determine if B knows 5 * by verifying = efl. 
Similarly, B can determine if A possesses g** by verifying 6^ = C/j in 
the fifth step. And because A and B can get each other's public key, 
both of them can assure that the other side can compute the session key 

= II s^)i£ 

5. Summary 

The AKAKC protocol proposed by Blake-Wilson et al is vulnerable to DoS 
attack because the responder must perform heavy modular exponential compu- 
tation before identifying the initiator. An improved protocol presented in this 
paper can defeat the DoS attack by forcing the initiator to perform modular 
exponentiation first. When attacker launches DoS attack, he will fall in heavy 
computation with the responder together and fail the attack. 

According to the analysis, the improved protocol can defeat the DoS attack 
successfully, and provide mutual key authentication and confirmation as well. 

The idea of designing this protocol can also be applied in revising other 
public -key based authentication key agreement protocol, such as IKE. 
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Abstract We will show that the structured ElGaraal-type multisignafure scheme due to 
Burmester et al. be not secure ifthe adversary attacks key generation. 

Keywords: cryptanalysis, multi-signature, authentication 

1. Introduction 

Multisignature scheme realizes that plural users generate the signature on a 
message, and that the signature is verified. Recently, Burmester et al.[l] pre- 
sented a structured ElGamal-type scheme (Burmester et al.’s scheme), which is 
based on discrete logarithm problem (DLP). This letter shows that the Burmester 
et al.’s scheme is not secure ifthe adversary attacks key generation. In the fol- 
lowing, the brief review of Burmester et al.'s scheme is given, and then an attack 
is proposed. 

2. Brief review of Burmester et al. ’s scheme 

We assume that « signers /i,/2 . .,/n generate a signature on a fixed mes- 
sage M according to order fixed beforehand. Burmester et al.'s scheme is as 
following: 
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Key generation: In Burmester£?<j/. scheme, there are three public system 
parameters. The parameters/? and ^ are two large prime numbers, p>^, the pa- 
rameter g 6 Zp, is an element with order q. h( ) is a public hash function. Each 
user selects his private key Oj € Zp, then computes his public key sequentially 
as follows: 



modp, y« = (y<-ip)“* modp 
then a public key of ordered group Ii, /2 is set to y = yn- 



Signature generation: 

1 Generation of r. 

signers h ,h In generate r together as follows: 

(a) Player I\ selects A:i € Zp randomly and computes 

mod p, if gcd{ri ,q) I, then select new fcj again. 

(b) For i € 2,3,...n, li-i sends rj_i to fj, and /< selects ki € Z^ 

randomly and computes n = mod p, if gcd(ri,g) ^ 1, 

then select new fci again. 

(c) r = Tn 



2 Generation of s'. Signers /j, /2 • ,/« generate $ together as follows: 

(a) Ii computes sj = aj -f- kirJf(r, M) mod q 

(b) Fori 6 2,3, ...n, 7,-_i sends a,_i to A. A verifies that 






mod p, 



then computes 



Si = (^i_i + l)of + kirH{r, M) mod q 



(c) a = «n 

3 The multisignature onM by order {A,hi-- ■ >^n) is given by (r,a). 

Signature verification: 

A multisignature (f , s} on M is verified by 

g‘ =s mod p ( I ) 

If the adversary attacks key generation, the above scheme is not secure at all. 
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3. Our attack 

Key generation is the same as Burmester et al.'s scheme but that player ^ is 
bad and generates his public key by choosing a secret key and setting 

yj ss mod p. The key of ordered group (/j, / 2 , •••, /n) set to y = pn- 

In this case, The multisignature (r, a) on M can be generate without I\ , 
/j_l signing it: 

1 Generation of r. 

(a) Player /j selects kj € Z^randomlyandcomputesr^ *= modp 

, if l) 7 ^ l.then select new kj again. 

(b) for » € j + 1 , . . . , n, a signer /j_i sends fj_i to li, and /j se- 
lects fci 6 Zg randomly and computes rj s= mod p, if 

gcd(ri,g) ^ 1 , then select new A:( again. 

(c) r = r„ 

2 Generation of , 9 : signer generate s as follows: 

(a) /j- computes Sj = aj -I- kjrh{r, M) mod q 

(b) for i € J + 1 , . . . ,n, /j sends to /<, li verify that 

g®*-' = mod p, 

then computes 

Sj = (Si_i + l)oj + fcjrA(r,M) mod 9 

(c) s = an 

3 The bad multisignature on A/ is (r, a). 

Verification: it is obvious that for the above bad multisignature (r, a), 

equation(l) is still hold: 



g> = yrrh{r,M) pjodp 

The above attack shows that cancheat/j^-i, to sign any message Af 
without knowing /j , . . . , j not signing it. Especially, when j = n , player 
Ij can sign any message M it wants on behalf of the entire group 4 , Tj, . . . , 7n. 

4. Summary 

we have presented an attack on Burmester et al.’s scheme, the attack shows 
that Burmester etal.’ scheme is insecure against attacks on key generation. It is 
possible to modify the Burmester et al.'s scheme by requiring that each player 
to provide a zero-knowledge proof of knowledge (ZKPoK) of the discrete 
log ofy</yj_i in baseg. 
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Abstract A strong proxy signature scheme [7] based on Schnoir's scheme was proposed 
byB.Leeeta/. in 2001. In this paper we show that in the forementioned scheme, 
original signer may misuse a proxy signer’s signature of a message M to forge 
the proxy signer's normal signature of M. 

Keywords: cryptanalysis, digital signature, proxy signature 

1. Introduction 

Digital signatures play a more and more important role in distributed en- 
vironment. With digital signature[l,2,3], the transmissions of messages on 
Internet can achieve authenticity, data-integrity, and non-repudiation. The tra- 
ditional handwriting are replacing by digital ones. Digital signature schemes 
can provide the cryptographic services: authentication, data integrity, and non- 
repudiation. Sometimes, we have the following scenarios: a department man- 
ager, say A, is responsible for signing some documents. However, he is busy 
with other important business, and has no time to sign these documents or he 
is not in the office upon the time. In those cases, A would like to delegate 
his signing capability to his secretory, say B, so B would sign documents on 
behalf of A if A is not available. In the above scenario, we need a so-called 
proxy signature scheme: a potential signer A delegates his signing capability to 
a proxy signer, B (in some way, A tells B what kind of messages B can sign), 
and B signs a message on behalf of the original signer A. the recepient of the 
message verifies the signature of B and the delegation of A together. Since the 
concept ofproxy signature was introduced by Mambo et al.[4] in 1996, many 
proxy signature schemes were proposed [4,5, 6,7], all of which are based on 
Schnorr's signature scheme[3]. According to the undeniability property, the 
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proxy signature schemes are classified into two models: strong proxy signature 
and weak proxy signature in [7], 

■ Strong proxy signature: it represents both original signer’s and proxy 
signer's signatures. Once a proxy signer creates a valid proxy signature, 
he cannot repudiate his signature creation against anyone. 

■ Weak proxy signature: it represents only original signer's signature. It 
does not provide non-repudiation of proxy signer. 

In [7], B.Lee, H. Kim, and K. Kim also proposed a strong proxy signature 
scheme, which we will call LKK scheme. In this paper, we will show that LKK 
scheme is vulnerable to a new attack. In Section II, the brief review of Schnorr's 
scheme and LKK strong proxy signature scheme are given. Then we describe 
our new attack against LKK scheme. Section III concludes this paper. 

2. Brief review of related schemes and our attack 

2.1 Schnorr’s scheme [3] 

Let us first how Schnorr's digital signature scheme works. 

Let p and q be larger primes with q\p — 1. Let g be a generator of a multi- 
plicative subgroup of ^ with order q, H{ ) denotes a collision resistant hash 
function. 

A signer A has a private key xa £ and the corresponding public key 
yA — g^'* mod p. To sign a message M. A acts as follows: 

1 Choose a random k € Z^\ 

2 Compute r = mod p and $ =: k + xaH(M, r) mod q; 

3 Define the signature on M to be the pair (r, s). 

The signature is verified by checking that 

modp. (I) 

2.2 LKK strong proxy signature scheme 

The following proxy signature scheme has been introduced in [7]. It is based 
on the above schnorr's scheme. 

Suppose that the original signer A has a key pair(a:/t,j//i), with X 4 A' s private 
key and yA = mod p his public key. The (future) proxy signer B also has 
his own key pair (xq, j/b), with xd private key and yu — y*® mod ppublic 
key. 

Generation of the proxy key. The original signer A uses Schnorr's scheme to 
sign warrant information Mu, which specifies what kind of messages A 
will allow the proxy B to sign on his behalf. 
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More precisely, A chooses at random k/i £ Z‘, and computes va = 
mod p and sa = kA + XAH{Mu,rA) mod q. Signer A sends 
{Muti ^A> S-4) to proxy signer B secredy. 

After B gets {Mut, he verifies the validity of the Schnorr’s sig- 

nature by checking whether the following equation holds: 

ff*-' = modp. (2) 

Ifeq.(2) holds, B computes his proxy key pair (xp,yp) in this way: the 
private proxy key is 

xp=XB+ S/t, (3) 

and the public proxy key is 

1/P = 9*'’(= modp. (4) 

Proxy signature generation. In order to create a proxy signature on a mes- 
sage M conforming to the warrant information proxy signer B uses 
Schnorr’s signature scheme with keys (ip,yp) and obtains a signature 
(rp, 5p) for the message M. The valid proxy signature will be the tuple 
{M,rp,Sp,M^,TA). 

Verification. A recipient can verify the validity of the proxy signature by check- 
ing that M conforms to and the verification equality of Schnoir's 
signature scheme with public key j/p(= mod p. 

Accept the proxy signature if and only if 

9^” = (5) 

holds. 

The authors claimed that the scheme satisfies the following security require- 
ments [7]: strong unforgeability, verifiability, strong identifiability, strong un- 
deniability and prevention of misuse. In next section, we will present a new 
attack on LKK scheme. 

3. Our attack 

If the original signer A is dishonest, he can forge the signature of B on message 
M from a proxy signature. 

After obtain the proxy signature (M, rp,sp, M^jVa), the original signer A 
may forge B's signature on message M as follows: 

1 computes^ — XaH{M,Tp) mod q\ 
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2 compute Sg = sp — s' mod q, and take rg = rp. 

Then (rg, sg) and M satisfy eq. (1), i.e. mod p. 

Suppose that 

rg =rp ~ g^’’ mod p, sp = kg xpH{M, rp) mod q, 

where kp is the random number selected by B for proxy signature on M. Then 

Sg = sp - s' = kp + xgH{M, rg) mod q 

it is obviously that (rp,afl) is B's Schonrr signature for message M. 

In other words, (M,rB,sg) is the forged B's signature on message M. 
Remark. J. Herranz et al.[8] claim that other signature schemes (ElGamal 
signature orDSS) can be used in LKK strong proxy signature scheme. It should 
be noted that our attack works as well if DSS is used. 

4. Summary 

Leeetal. briefly modified the proposal of[5J and get a strong proxy signature 
scheme (LKK scheme)[7]. However, the strong proxy signature scheme has 
a security flaw. We showed in this paper that in LKK scheme, the original 
signer A is able to misuse his power to forge a proxy signer B's signature for a 
message, which has been signed by B as a proxy signature. Due to the attack, 
the original signer may confuse his responsibility with the proxy signer's. 
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Abstract The concept of “identity-based broadcasting encryption” (IBBE) was presented 
and two IBBE schemes were proposed recently by Y. Mu et.al. in [1]. Here we 
show that the two IBBE schemes are suffering a linear attack. We also point out 
there is a wrong assumption in their schemes. 
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1. Introduction 

Broadcast encryption systems are now more and more popular. A typical 
application of broadcast encryption systems is the broadcast of a pay TV pro- 
gramm. The broadcast center encrypts the TV programm with a session key, 
and broadcasts the encrypted signals to users. Only those who paid for the 
programm are able to decrypt the encrypted TV programm. An important issue 
in such a system is how to distribute the session key to the paid users. With the 
session key, those users are able to decrypt the broadcast. One way to solve the 
problem is that each user will be equipped with a decoding box. The broadcast 
center will first determine the group of users who paid for the programm. It 
then decides a session key, encrypts the session key with a public key algorithm, 
and broadcasts the encrypted session key to all users. Only the group ofusers 
who paid is able decrypt the encrypted session key with their decoding boxes. 
After getting the session key, the decoding boxes will decrypt the signals of the 
encrypted TV broadcast programm for users. 

In [1], Y. Mu et.al. proposed to use an identity-based public key system to 
solve the problem. In an identity-based public key system, each user's public 
key can be derived from his identity information, and his corresponding private 
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key is determined by his public key. Each user in the broadcast encryption 
system registers his own identity information and gets corresponding private 
key from the broadcast center. The broadcast center determines the group of 
users who paid for theprogramm. The centercollects all the identity information 
of the group to determine the public key of the group. The center then chooses 
a session key, and use the public key of the group to encrypt the session key. 
The center broadcasts the encrypted version of session key to all users. Only 
the members of the paid group are capable of decrypting the encrypted session 
key with their own private keys. 

In the next two section, we will introduce two IBBE schemes proposed by 
Y. Mu et.al. and give a linear attack on them. In Section 4, we also point out a 
wrong assumption for the IBBE schemes. Section 5 concludes this paper. 

2. Identity>Based Broadcasting Scheme: MSL Scheme 1 

In the rest of the paper, we will call the IBBE schemes proposed by Y. Muet. al 
MSL Schemes. MSL schemes are based on bilinear pairing. Before presenting 
MSL schemes, let us first see what are bilinear pairings. 

2.1 Bilinear pairings 

Let G\ be a cyclic additive group generated by P, whose order is a prime 
q, and G ?2 be a cyclic multiplicative group of the same order q. We assume 
that the discrete logarithm problems (DLP) in both Gi and G 2 are hard. Let 
e : Gi X Gi — > G 2 be a pairing which satisfies the following conditions: 

1 Bilinear: e(Pi + P 2 ,Q) = e{Pi,Q)e{P 2 ,Q) and e{P,Qi + Q 2 ) = 

eiP,Qi)e(P,Q2y, 

2 Non-degenerate: There exists P e Gi and Q S Gi such that e(P, Q) 

1 ; 

3 Computability: There is an efficient algorithm to compute e(P, Q) for 

aUP.geGi/ 

We note that the Weil and Tate pairings associated with supersingular elliptic 
curves or abelian varieties can be modified to create such bilinear maps. We 
refer to [2, 3, 4, 5, 6] for more details. 

2.2 MSL Scheme 1 

Now let us see the details of the first MSL in [1]. 

Suppose that in a TV broadcast system, there are totally n users. We denote 
the n users by Ui,U 2 , • ■ • ,Un- The broadcast center provides different kinds 
of programs to users. Those users who paid for a specific programm form a 
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group. We denote different user groups by Group ID(, i = 1,2,..., where 
IDi is the identity information of some group. 

The broadcast center will choose and pre-compute some parameters as fol- 
lows. 

1 The center chooses public parameters (f?i , Gj. c> -^ 2 ); 

■ an additive group Gi of order q. 

■ a multiplicative group G 2 of the same order q. 

■ a bilinear mapping e(-, •) : Gi X Gi -4 G 2 . 

■ a strong hashfunction flj : Gq -4 {0, . 

2 The center determines the private parameters (i, P, 1 ^, U|,q, u, = 

1,2, .. . ,n as follows: 

■ choose a prime x € as its master key, and P 6 Gi. 

■ choose a prime pj and an integer fn for user Ui, i = 1, 2 , .... n. 

Compute Uj = pf' and Ui = 1- According to [1], 

the doublet (ti<, Uj) is a "qualified pair” associated with user Ut. 

m let? = n?=tPf- 

■ choose a prime numbers such that 9 C£((v,q) = 1, 

■ compute tij such that v ■ tjj mod ^ s Uf. 

■ let Pi : {0, 1}"* -+ Gi be a strong hash function. 

Now there is a user group, whose identity is ID( 6 {0, 1}™, consists of 
users t/j, , U 12 1 • . • , Ui^ ■ The center determines the decryption key for user 
C/jj , t a 1, 2, . . . , U), in the group as follows. 

1 Compute Qwi) ke^p them secret. 

■ Set dj. ^ (xu(^ + l)«j, mod q. 

■ Extract Qidi from the group identifier IDi'. Q/p, 4- Pi(/Z?|). 

2 Distribute the decryption key Pj. 4 - di^Qip, to user Ui^ . 

The center chooses a session key K, , and distributes Kg to Group IDi with 
the following broadcast encryption scheme. 

Encryption key (Pi,P 2 )! The center determines encryption key {Ei,E 2 ) 

■ Set u 4- fijl, u{. mod q. 

m Let P, = uP and £2 = uuP. 
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Encryption: With (£i,£ 2 ,a;), the center will encrypt Ks in the following 
way. 

• Choose a random number r S 2g. Let R = r^ 2 ' 

■ Let 6 = e(Ei , (a: + l)(3rD). and c = A'a © ■^' 2 ( 6 ^)- 

■ The ciphertext for K, is 

Decryption: User C/j, decrypts the ciphertext (/?, c) with his own decryption 
key as follows. 

■ Compute 

e(f?,Ai) = e(ruvP,{xui^+l)vi,QiD,} 

= e(ruP, (lut, + 

= e(r£:i,( 2 : + l)Q;D,)= 6 ’‘ ( 1 ) 

■ Recover the session key Kg = c® H 2 (b')' 

The center wiU encrypt the TV programm with Ks and broadcast the en- 
crypted programm to every user. But only members of Group are able to 
watch the programm through decryption. 

2.3 Linear Attack on MSL Scheme 1 

MSL scheme 1 has an outstanding feature, which is that the center can 
dynamically add a new user or remove an existing user fiom a group without 
involvement of users. What the center should do just update the values of 
encryption keys (Si, £ 3 ). 

Suppose that there is a group IDi consisting of users Ui,,Ui^, - . . , Ui^. 

■ When adding a new user , the center updates Ei t— Ei and 

■ When removing an existing user Ui^, the center updates Ei f- U^^Ei 
and E 2 

We know that in an IBBE system, the important thing is to avoid a user to 
receive unpaid TV programs. A legal user Ui (the user who paid for the program) 
was issued a decryption key D{, User Ui can give away his decryption key 
to other illegal users. However, the broadcast center can trace the traitor tf 
with the decryption key Df, 

However, we fmd that it is possible for a number of legal users to collude 
and construct a new decryption key from their decryption keys. 

Suppose that in Group IDi, there are t colluders: C/j, , f/gj , . . . , Uc Each 
coUuder Ucj has his own decryption key Dcj , j = 1,2, . . . ,t. 
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1 Thetcolluders choose integers oj ,02> - • • satisfying oi+ 02 +- • •+£!£ = 1. 

2 Colluder Ucj computes a^Dcj , j = 1,2, . . . ,t. 

3 The t colluders determines the value of D = 53j=i • 

Now Z) is a forged decryption key. It is obvious that D is different firom the 
decryption keys ofthe colluders. But with D, an illegal user is able to decrypt 
(ii,c) to recover the session key Kg. 

Decryption: An illegal user decrypts the ciphertext {fi, c) with the forged 
decryption key D as follows. 

• Compute 

( t 

e{R,D) => 

3=1 i=i 

From Eq. (1), we know that e(R,Dcj) — 6’’, therefore 
1 

e{R,D) = fj {b^’ = 

J=i 



M Recover the session key Kg = c$ 

Since the forged decryption key Z) is a linear combination of colluders' 
decryption keys, we call the attack “linear attack’’. 

3. MSL Scheme 2 and Its Analysis 
3.1 MSL Scheme 2 

MSL Scheme 1 showed how the broadcast center broadcasts a session key 
Kg to a group secredy. Now suppose that the center is going to broadcast the 
session key to several groups, say Group IDi, Group ID 2 , ■ ■ • , Group JDk- 
With MSL Scheme 1. the center has to encrypt Kg with different encrypdon 
key triplet (£[^*,£ 2 ^', a?) and sent the corresponding ciphertext 
to Group /Dj, here t = 1,2, . . . , fc. That means the center has to determine k 
encrypdon keys, which is proportional to the number of groups. 

In [1], another scheme, which we call MSL Scheme 2, is proposed to deal 
with the problem ofbroadcasting messages to multiple groups. In MSL Scheme 
2, the center only has to determine one encryption key and broadcast some 
ciphertexts to multiple groups. Below we wiU describe MSL Scheme 2, and 
show that the scheme is suffering horn the linear attack as well. 




170 



PROGRESS ON CRYPTOGRAPHY 



Suppose that the session key Kg will be distributed to Group IDi , Group 
IDi,. . . , Group IDk- In Group IDi, i = 1,2, . . . , fc, the members ofusers are 

denoted by 

The center chooses three additional hash functions: : {0, 1}* x {0, 1}^ — > 

Zg, Hi : Gi G 2 , and Hi : G 2 -* {0,l}‘.Keep Hz, Ha secret, and 
publish H 4 . 

The center determines encryption key (EijEz)- 

m Set«t-nf=ini=l«j/°‘ mod?. 

■ Let = uP and Eh = Uf -P- 

With (£ 1 , Eh, x), the center will encrypt Kg in the following way. 
Encryption: ■ Choose a random number a € Zg. Set r <— Hz{< 7 ,Kg). Let 

R = rE 2 - 

■ Let biD. = e(£?i,(a: + Choose ^!Di € C» 2 i and get 

bipi ~biD,l/i[,^. 

m Compute cjp^ t- b'fp.Hi{b}p.) and f- /f, 0 

■ The ciphertext of Kg for Group IDi is {ciDi,f^ip,,R)- 

■ Broadcast (c/Di. < 4oj> • • • > <<^JDgy -P) 1° the groups. 

Decryption: User£^:^^S j = 1, 2, . . . , decrypts the ciphertext (c/Oj, Cy^., 
H) with his own decryption key D^!^' as follows. 

■ Compute 

e(fl, = e{ruvP, (xuij + \)vi^Qwi) 

= e(ruP, (xuij + Qip^) 

= eirEuix + l)Qjp,]=^b'iD, (2) 

■ Compute = C/Di ' and ft/D* =*/£)* -i/Ci- 

■ Recover the session key K$ = Cyp, ® Hzlb^ipJ- 

3.2 Linear Attack on MSL Scheme 2 

Linear attack works on MSL Scheme 2 in the same way. Suppose that in 
some group, say Group there are f colluders: • - • * 

Each colluder has his own decryption key Dj.j^'' ,3 — 1 , 2, . . . , t. The 
attack is similar to the previous one on MSL Scheme 1. 
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1 The i colluders choose integersaj,a 2 , ■ • • satisfying al+<l 2 ^ t-Oj = I. 

2 Colluder computes j = 

3 The t colluders determines the value of D = 

The session key can be recovered with the forged decryption key D in 
the following way. 

Decryption: An illegal user decrypts the ciphertext (<?£)*, with the 

forged decryption key D as follows. 

■ Compute 

1=1 1=1 




■ Compute = c/D* • , and = bfo^ ■ ft//)*- 

■ Recover the session key ® ^ 2 (ft//>*)- 

Given a forged decryption key D = i if ih® broadcast center can 

uniquely determine the value of i?ci , -Dcj > • ■ • j^cu then the identity of traitors 
can be traced. However, in our linear attack, there may exist another set of user 
and integers fti,ft 2 i • ift*. such that D =* Sj=l®l^ci = 
ft»-^dr Therefore, the forged decryption key is untraceable to any ofthe 
traitors. 

4. Remark on the Assumption of the Order of the Group 

Bilinear pairing, including the Weil pairing and the Tate pairing, is an es- 
sential tool to construct identity-based cryptosystems. In [1], the authors sug- 
gested to use the Weil pairing for their identity-based encryption schemes (MSL 
schemes). Suppose that E is an supersingular elliptic curve over a field K with 
a positive characteristic, and E[q] denotes a ^-torsion group of £. The Weil 
pairing e(-, •) is a mapping from E[q\ x E[q] to a multiphcative group Gy of 
order q ofsome extension field of AT. Here, E[q] functions as the additive group 
Gi of order q. 

It should be noted that to compute the Weil pairing, the parameter q must be 
known (see [2, 3, 4]). 

In [ 1 ], however, the order of the additive group is only known by the broadcast 
center. No user knows the value of^. But the members of groups are required 
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to compute some Weil pairing for decryption. Without q, it is impossible fisr 
the members to implement decryption. 

If^ is public to all users, as [1] pointed out, there will be a security threat. 
We now consider MSL Scheme 1. The t colluders [/g, can just 

simply add their decryption keys and get D = fti + + • • • + Da ■ Since 

e{R,Da) = b\i = \,2,...,t, 

c(ft, D) = e{R, Da )e(ii, Dc, ) ■ ■ ■ Da ) = ft"'- 

When gcd{t, q) = 1, mod q can be easily computed with Euclid's exten- 
sion algorithm, so e(J?, D)^ * , i.e. 6’’, can be easily determined. After getting 
the session key results directly from ^ c® H 2 {b^)- 
The same problem exists in MSL Scheme 2. 

5. Conclusion 

In this paper, we presented a linear attack on the identity-based broadcast 
encryption schemes proposed by Y. Mu et. al. The hnear attack showed the legal 
users in the same group can collude and forge a new decryption key with their 
own decryption keys. In the mean time, with the linear attack, it is impossible 
for trace the identity ofthe colluders. On the other hand, we point out that the 
assumption for MSL schemes are not rational. The reason is that users are not 
able to do decryption if the order q of the group G\ (and Gj) unknown to 
users. On the other hand, if^ is known by users, users can successfully collude. 
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Abstract Camellia is the final selection of 128-bit block cipher in NESSIE. In this p^ier, 
we present differential-linear cryptanalysis of modified camellia reduced to 9 and 
10 rounds. For modified camellia with 9 rounds we can find the user key with 
2*^ chosen plaintexts and 2***'* encryptions and for modified camellia with 10 
rounds we can find the user keywith2*‘* chosen plaintexts and 2*^*'* encryptions. 

Keywords: block cipher, differential-linear cryptanalysis, data complexity, time complexity 

1. Introduction 

Camellia [1] is a 128-bit block cipher which was published by NTT and 
Mitsubishi in 2000 and recently selected as the final selection of the NESSIE 
[2] project, and also suggested as a candidate for the CRYPTREC project in 
Japan [3]. The security of Camellia has been studied by many researchers [4 ^ 
12], The security of CameUia against higher-order differential cryptanalysis 
is discussed in [4] and [5]. A truncated differential attack on 8-round variant 
of Camellia without FL/FL~^ functions is presented in [6] requiring 
encryptions and 2®^'® chosen plaintexts. Truncated and impossible differential 
cryptanalysis of Camellia without FLjFL~^ functions is described in [7]. 
A differential attack on 9 rounds Camellia without FL/FL~^ functions is 
proposed in [8] £'^quiring 2*®® chosen plaintexts. The security of Camellia 
against Square attack is discussed in [9] and [10]. Yeom et.al. have studied 
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integral properties and apply them to Camellia in [11], Furthermore, collision 
attack on reduced-round cameUia is introduced in [12], 

In this paper we present differential-linear cryptanalysis on modified Camel- 
lia reduced to 9 and 10 rounds. Section 2 briefly describes the structure of 
Camelha, A 4-round differential characteristic with probability 1 is explained 
in Section 3. In Section 4, we show how to use the 4-round differential char- 
acteristic and a 1-round linear approximation to attack on modified Camellia 
reduced to 9 and 10 rounds. FinaUy, in Section 5 we summarize this paper. 

2. Description of the Camellia 

Camelliahasa 128 bit block size and supports 128,192 and 256 bitkeys. The 
design ofCamellia is based on the Feistel structure and its number ofrounds is 
18(128 bit key) or 24(192/256 bit key). The FL/FZ.”* function layer is inserted 
at every 6 rounds. Before the first round and after the last round, there are pre- 
and post-whitening layers which use bitwise exclusive-or operations with 128 
bit subkeys, respectively. But we will consider camellia without FL/FtT^ 
function layer and whitening layers and call it modified camellia. 

Let Lr-i and Rr-i be the left and the right halves of the round inputs, 
and kr be the round subkey. Then the Feistel structure of Camellia can be 
written as 

Lr = ilr-1 ® ^r)i 

Ft = W-l, 

here F is the round function defined below: 

F ; F^^ X Fl'* —A F^*, 

(X64,Ae4) > y(B4) = F(5(A'(64) ® fc(64})). 

where S and P are defined as follows: 

S : ^ 

h(8) il^2(8) 1 1^3(8) ll^5(fi) 11^6(8) I |l7(8) I l^a(8) 

* ^1(8) 11^2(8) 11^3(8) 1^4(8)1^5(8)11^8) 1 11^8(8) 

^”(8) ~ 8 i (/ i (8)), ^5(8) “ 82(15(8)), 

^2(8) = 82(12(8)), 1^(8) = 83(15(8)), 

^3(8) = 83(/3(8}), /7(8) = 84(17(8)), 

^4(8) = 84(/4(8)), ^8(8) = 8j(/8(8))’ 

p Fi^—^Fi\ 

■^I(8)II'^2(8)I|23(8)||24(8)||25(8)||26(8)I127(8))|28(8) 
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Z* = ® ^4 0 2$ © 2? ® 2b, 2j = 2j © 22 ® 2b © 2? ® 2b, 

22 = 2i ® 22 ® 2 b © 2$ © 2t ® 2b, 2| = 22 © 2b ® 2s © 2? ® 2 b, 

23 = 2 i ® 22 ® 2 b © 2 s © 2 e ® 2 b, 2 f = 2 b ® 2 ^ ® 2 s © 2 b ® 2 b, 

2 | = 2 b ® 2 s ® 24 ® 2 b © 2 b ® 27 , 2 J = 2 j © 24 © 2 s ® 2 b ® 27 . 

Below briefly describes the key schedule of Camellia. First two 128-bit vari- 
ables Kl and Kr are generated from the user key. Then two 128-bit variables 
Ka andK[) are generated from Ki and Kr. Note that Kg is used only when 
the user key is of 192 or 256 bits. The round subkeys are generated by rotating 
Kl, Kr, iCy^and Kg- Details are shown in [1]. 

3. 4-Round Distinguisher 

Choose two plaintexts P = {Lq, Jlo) and P* = {LJ, ii^) : 

lo = - .Os), ^0 = • ,0s). 

Lq = Lq, = {x*,02,-'- .^b)- 

where x ^ a:*, and 0j are constants in Thus, the input of the 2nd round 
can be written as follows: 

Li = (®© 71.72. - .78), ill = (oi.oa,- - • .oa), 

L\ = (i' ©71.72.- '• .7 b). = ( 01 . 02 .--- .Ob). 

where 7 <are entirely determined by 0^(1 < t < 8), /9j(2 < j < 8) and fcj.so 
7 < are constants when the user key is fixed. In the 2nd round a transformation 
on Li and L\ using F(*, k 2 ) is as follows: 



Li 



(1 ©71,72,- ■■ ,7s) 

(y ® dl,V©d2,y © 63 , 04 , 1 / ®05.^6,®7,l/®^8) 



(a:*©7ii72,--- ,7s) 




(y* ® 0 i,y* © 02 .V* © 63 , 64 . y* ®65,68,67,y* © 6 s) 



where y = Sj(i ® 71 © A:2,i), y* = 8i(a:* ® 71 © ^2,1). ^2,1 is the first byte 
of fc 2 , 6| are entirely determined by '^(l < i < 8) and fcj.thus 6< are constants 
when the user key is fixed. Therefore, the output of the 2nd round is 



Li ~ (y©«Pi,y®ts»2.y©W3,OT4,y®ro5,a76,ro7,y©c’8), 

R 2 * Li = (x®7i,72,--- ,7s), 

1.2 = (y*®®i.y‘®a72.y‘®to3,®4,y* ®a’5,it'8,tE’7,y*®i^’8), 
= ii = (x*©7i,72,--- ,7 b). 
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where H7j = are constants. In the 3rd round a transformation on I5 and 

Z»2 using f (•, Ats) is as follows: 



I 2 = (l/eWhS/^Wa,?/® 05.®6.a»7,J/®C?8) 

^ l^l 1 ^2) ’ ■ ) ^S) 

^2 = (y* ® Wl,y' ® Wa.y* ©tI’3.W4,Jf' ® CP5>«P6,t57,y’ ® tns) 



By observing the round function we find 



^3 ® 24 ®-25 ® ® 27 = a4(c77 ® A:3,7) ® <7] 

23 ® 24 ® ® ^6 ® 2; = S 4 ( tU 7 ® ^3,7) ® I 7 l 

a\ is entirely determined by 07^(1 < i < 8) and A3, so Oi is a constant when 
the user key is fixed. 



ns change 



R, onVhel'bjvdiange 




Rj no change 



tnV he l*by<e disige 



a(Ma4,7) 



R, , nochaige 



Figure I. 4-rounds dinerenlial characierislic 
Thus, we have the left half of output for the 3rd round: 

L3 = (21 ®X®7i,22®72,23®73)-' - >Z8®78)' 
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LI = {z\ ® I* ® 7i,Z2 ® 72, z'i ® 73, ■ ■ • . ® 7e)- 
So the right half of output for the 4th round is as follows: 

= -ts = («t ®X®71,22© 72,23 ©73,'-' ,28 ©7s)- 

H 4 # = I* = (zj ®I* ®7,,zJ © 72,23 ©73,- ,zj ©7g). 
so we have the following equation: 

R4,3 © © Rifi © ^4.6 © Rif = R\,i © R\,a © Ra,5 © Rifi © ^4.7 (0 

with probability 1. 

4. Attacks on Camellia Reduced to 9 and 10 Rounds 

In this section, we describe differential-linear cryptanalysis of modified 
CameUia reduced to 9 rounds in detail. 

By testing 

SA-.Ff-^F^ A->54(A)=y, 

we get the following linear approximation of S]«box: 

X[4] = y[4] (2) 

withprobabilityp = 1/2 -t- 3/2®, where A(m) denotes the bit ofX. 

If known we can choose two plaintexts P — (£ 0 , Ro) ^4 P" = 
{Lq, fl^) such that (Li.Pi) and (I/j.PJ) satisfy the input condition of the 4- 
round differential characteristic in section 3. Let I = {3, 4, 5, 6, 7}, we have 
the following equation: 

©«w-=©fiti 0) 

>€/ t€/ 

Further observing the round function we have 

= S4{P6,7 © ^ 6 , 7 ) © (^ X-e,*) (4) 

«€7 «€/ 

0 Rl, = 84(P;,7 © fce,7) © (0 LI,) (5) 

i€/ ter 

By using equation(2) we get 

0Ps,i[4j = PejH] © *^6,7[4] ® (0X'6.i[4]) (6) 

i€l «€/ 

0 Rl,{i] = © k6,r[4] © (©iS,[4]) 

<€/ HI 



(7) 
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Equation(6)and (7) hold with probability p = 1/2 + 3/?. 
Because0^g;ie5,j[4j = 0jg/ i?5,j(4], we get 

® (0 £6.i[4l) = ® (0 (8) 

16 / i€l 

Equation(8)holds with probability p* + (1 - p)^ = 1/2 + 9/2^'. From the 
round transformation we have 

^^6.7 = -S3{^7,3 ® ^7,3) ® ® *7,l) ® 52(727,5 © *7,5) ® 

©^7,6) ® 5i (727,8 ® ^7,8) ® ^7,3 ® 7/7,4 ® T>7,5 ® 7-7,6 ® 7-7,8 

Therefore if known ^7,3, ^7,4, A;7,5, *:7,6.*7.8-*8i*9. 726,7(4) ® (©<£/ 7/6,,[4]) 
andT2g7[4j®(^^g^ 7-6,(4]) can be obtained through decrypting the ciphertexts 
C =(7/9,729) and C = (i/5,725). 

When ®e correct value of(/s7,3,A7,4,fc7,5,A;7,6,A:7,8,A:8,fc9) is used, we ex- 
pect T26,7l4|®(® 7<6.i[4j) = •^,7[4]®(0jg/ i'6,i(4]) holds with probability 
1/2 + 9/2* * j when an incorrect value is used, the produced data is more random 
and we expect the probability closer to 0.5. 

Based on Ref[ll] that approximately 2*^/8l pairs of chosen plaintexts are 
needed. Now we introduce how to obtain the desired pairs ofplaintexts. Fixed 
ott(2 < « < 8) and pj{l < j < 8), we choose the set ofplaintexts: 

0= = (L^,72g)|72j = {y®0i,ye/32.y^03,/3i,y®06,06,07, 

y®0s),L*o = (a:,02,--' ,aa),t = x + 2%} 

y take value all over 7^, a: take 64 values from 7^, thus|^| = 2*'*. For 
any P0\t = 0 + 6x2®, we can choose 63 plaintexts 7^**1 from t* = 
0i +6i X 2®,Oi ^ 0, 6i = si(o®Ai,i)®ai(ai©/ti,])®6, such that T’W and 
p(^') are the desired pair. Therefore, we can construct x 63/2 > 2^®/8I 
pairs of desired plaintexts from <p. 

Algorithm 

Stepl, choose the set ^ofplaintexts and corresponding set of ciphertexts is 
denoted as f2. 

Step2, For each possible value g of (777,3, ^7,4, *7,5, fc7,6, A:7,8, *8. A^9). de- 
crypt the ciphertxts in fj and compute 7%, 7(4] ® (®jp/ 7/6,»(4j). Let Ng be 
the total number of pairs ofplaintexts that satisfy Tfe 7(4] © (®ig/ 7-6 t(4j) = 
T?S,7(4]®(0*6/7/S,a4)). 
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Step 3, output the key candidate g corresponding to the maximum value of 
all Ng. 

The main time complexity of attack is the step2, the time of computing 
each /? 6 , 7 ( 4 ] ® (®ig/ ie.tW) about the 3-round encryption, so the time 
complexities of attack is about 2^'* x 2**® x 3/9 < encryptions. 

Using above Algorithm we can attack modified Camellia reduced to 10 
rounds. The difference is in step 2, compute i^, 7 [ 4 ] ® (®tg/ from 

ciphertexts for each possible candidates of (Af, 3 , ^ 7 , 4 , kyfi, k-jfi, kg, kg, 
kjo)' The time of computing eachi? 8 | 7 [ 4 ]®( 0 jgj Lgi[4]) is about the 4-round 
encryption, so the time complexity ofattack is aboutZ^ x2*®^x4/10 < 
encryptions. 

5. Conclusion 

In this paper, we studied differential-linear cryptanalysis for modified Camel- 
lia reduced to nine and ten rounds. For modified Camellia with 9 rounds we can 
find user key with 2 *'* chosen plaintexts and 2 *®® ® encryptions and for modified 
Camellia with 10 rounds we can find the user key with 2*'* chosen plaintexts 
and 2*^’® encryptions. Up to 10 rounds, the differential-linear cryptanalysis is 
a faster way to attack Camellia than the brute force key search. 
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Abstract EV-DO security architecture is introduced in this paper. Following that, the 
authentication flows in RAN level and IP level, encryption and integrity ate 
investigated herein. In addition, the paper gave an analysis of the EV-DO security 
in detail. At last, some enhancements suggestions are proposed. 

Keywords: EV-DO, access authentication, CHAP, security analysis 

1. INTRODUCTION 

With the high development of Internet and wireless information technology, 
the requirement for wireless data service is increasing drastically. Also the 
service is required to provide instance, versatility and high quality. But the 
current CDMA IX technology is far to meet these requirements. So the 3GPP2 
association, which is mostly composed, of North America countries held up 
EV work group in early 2000.This group proposed the EV-DO^" technology 
to meet the high data rate requirements. The standard is re-defined as HDPR 
(High Data Packet Rate) this year. 

HRPD specification has been finished in the end of 2001. Compared to 
current CDMAIX technology, it has the following advantages: 

• Air interface: IxEV-DO effectively resolved the data service transmission 
bottleneck problem in the air interface. Compete with the 153.6Kbps of 
CDMA2000 lX,lxEV-DO forward link peak rate can be up to 2.4576 
Mbps/(Sector). 

■ Frequency parameters:lxEV-DO and IS-95/CDMA2000 IX have same 
RF characteristics, Chip rate, power requirement, coverage, then protects 
the current operator invest in maximum. 

a Architecture: IxEV-DOisveryflexibleinthenetworkconstruction. Stan- 
dalone network can provide service for the users who only need the packet 
service; and combined network with IS-95/CDMA2000 IX can provide 
voice and high data rate services in the same time. 
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So basicaUy HRPD technology is low cost, small risk, fast rate, flexible to con- 
struct network, easy to implement. Hence, we believe the EV-DO technology 
can absolutely provide very fast and efficient data service to the users. 

But for wireless data service, security is playing very important role. EV-DO 
(HRPD) has been configured with a mature set of security scheme. This paper 
shall introduce and analyze its security architecture, authentication flows, and 
encryption, message integrity in depth. 

2. EV-DO Security Architecture 

EV-DO mainly provides security protection in the air interface between AT 
(access terminal) and AN (Access network), including encryption and signaling 
integrity protection. The authentication of EV-DO user is performed between 
PDSN and AT or performed between AT and AN. Next section shall describe 
this deeply. The architecture ofEV-DO is shown as below. A security layer is 



s 




included in the EV-DO air interface, placed between connection layer and MAC 
layer, which is made up of security parameters protocol, message authentica- 
tion protocol, key agreement protocol and encryption protocol. Among them, 
security parameters protocol is to provide the parameters for encryption proto- 
col, such as Time stamp, synchronization parameters. Authentication protocol 
refers to message authentication, i.e integrity protection. It has two options, 
DEFAULT no protection and SHA-1. Key agreement protocol is meant to pro- 
vide key required for a session. Current standard defines two options, No or 
D-H. Encryption protocol defines no encryption or AES encryption. 

3. EV-DO User Authentication 

EV-DO authentication is different from CDMAIX. It does not use the SSD,A- 
KEY,CAVE. The access authentication is performed in the PPP layer using 
CHAP^^' protocol, MD5 algorithm. Secret individual parameters (such as SS, 
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PASSWORD, NAI etc needed by CHAP) are required to store in the card in 
order to validate whether the user can be authorized the access of the wireless 
and IP network. 

Actually, there are two kinds ofauthentications performed respectively in the 
air interface and the PPP session between PDSN and AT. One is called RAN 
Authentication, i.e inner CHAP, which is defined in lOS A.S0007; the other is 
called PDSN Authentication, also caUed by outer CHAP authentication, which 
is defined in IS-835. 

Inner CHAP (RAN authentication) is optional, but outer CHAP between 
PDSN and AT is mandatory. Radio Access Network Authentication is by use 
oftheA12 interface. Presently it is only applied in the Japan market. Forthe 
two methods, please refer to the figure 2 below. 

There is a requirement to track the identity of the AT for regulatory purposes 
and since the outer CHAP cannot authenticate the AT. it is not enough. It turns 
out that in Japan, the ISP (internet service provider) and WSP (wireless service 
provider) may or may not be the same company-when the ISP is different from 
WSP. 



■ Outer authentication between PDSN and AT 

The authentication in this layer is called Outer CHAP, which is transparent 
to AN, and performed between AT and PDSN. The relevant entities are AT, 
PDSN, PDSN-AAA (RADIUS server). HA is also related for mobile IP. 



OunrCmP 




Imv CHAP(R*Nln« )>Ocllonri 



Figure 2. 

The protocol between PDSN and AAA server is based on RADIUS. User 
authentication is based on network access identifier (NAI)'^' and password. 
Simple IP authentication is relevant to the entities MS, PDSN and PDSN-AAA 
server. PDSN acts as RADIUS*^' agent and PDSN-AAA as the server with the 
CHAP or PAP as the authentication protocol. Authentication flows for mobile 
IP is illustrated as below. 

Mobile IP authentication is relevant to entities as AT, PDSN. AAA server 
and HA. Here the HA is responsible for the registration of the user address. 
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correlation of the user home IP address and COA (Care-of-Address)'^l In the 
same time, HA receives the data packet from MN and forwarded by FA to MN. 
Authentication method is NN-FA Challenge- Response [RFC3012], Figure 3 
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shows the MIP authentication in registration. PDSN acts as FA and performs 
authentication by use of PDSN-AAA. The main steps are : 

1) After the establishment ofPPP session, MN sends “Agent-Solicitation” mes- 
sage; 

2) PDSN sends Agent- Advertisement to MN with the attachment of FA chal- 
lenge; 

3) IfMN determines that it is in outside network then starts the MIP registration 
and authentication; 

4) AT calculates the response and resends RRQ to PDSN; 

5) PDSN forwards to PDSN-AAA Access-Request message and attaches the 
FAC and response. 

6) PDSN-AAA forwards to HAAA and performs the authentication; 

7) If authentication is successful then HAAA returns successful authentication 
message with attachment of user HA address; 

8) Once PDSN receives this, then forwards the user RRQ request to HA; 

9) HA performs the AT authentication by use ofthe secret key issued by HAAA 
and returns to PDSN RRP; 

10) Once RRP is received, AT receives the HA address and performs re- 
authentication by use of this address. 

11) In the process ofre-registration, PDSN may send directly the authentication 
information to HAAA. 
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■ RAN layer authentication 

RAN layer authentication is also called inner CHAP, located between AT and 
AN through AN-AAA, which is optional. This authentication is initiated by AN 
with the objective to meet the user identity track by their operators and to support 
seamless handoffofthe same packet data session between HRPD (IxEV-DO) 
and 3G1X with the IMSI return after this layer authentication, the IMSI is used 
in handoff. In this process, CHAP implements this layer authentication. 

4. Session security in the air interface 

The key used by encryption and integrity agreement is generated by D-H 
protocol between AT and AN. There is no message encryption in version 1 
until AES is proposed to use in the message and signaling encryption in version 
2. But these versions do not apply the mandatory integrity protection to all the 
signaling. SHA-1 isoptionally used to provide this protection. 

5. Security analysis and suggestion 

5.1 Weak 

Although current EV-DO security is basically perfect, it still exists some 
potential vulnerability from cryptography viewpoint. We shaU analyze the 
security one by one in the following: 

■ Key generation is not based on authentication, but performs indepen- 
dently; hence the key can be easily thieved. 

■ The D-H is very easily exposed to man-in-the middle attack and very 
slow, high computation complexity. 

■ Session is not secure at all because integrity is not applied to any reverse 
access link and forward access link. 

■ No encryption is applied to any signaling in the air interface. So service 
is easily hijacked in the forward and reverse links. 

■ DoS attack is still unresolved. Even ifthe newest EV-DO security spec- 
ification caimot protect against this attack. 

5.2 Improvement 

So this paper proposes the following suggestions based on the analysis above 

■ Key negotiation is not agreed by D-H algorithm. A secret ROOT key is 
pre-provisioned in the databases of the user equipment and core network. 
Then authentication and key agreement are performed based on this root 
key. 
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m Adopts the 3GPP UMTS AKA, which has been already proved to be very 
secure, this way, prevents man-in-the-middle attack and false key attacks 
based on the authentication. Two session keys are generated finally: 
cipher key CK and integrity key IK. 

■ Use the IPSec’^’ or VPN to securely transport the key to other network 
entity after it is generated in the core network authentication center. Only 
the AT and authentication center can generate session key because only 
they know the ROOT keys. 

■ Enhanced SHA-1^^ in cryptography is used to integrity protection for 
signahng and wireless message with the application of the session key 
IK in the last step. 

■ Encryption is applied to both signaling and data in the access channel 
and transport channels by AES in the air interface 

6. Conclusion 

Compared to CDMAIX, authentication method and algorithm both adopt 
different ones. The up-to-date standard adopts the free AES without any export 
limit. The new specification can meet the security requirements of the user 
in authentication, encryption and key agreement process, then made up some 
important security vulnerabilities. But some famous vendor such as lucent has 
been already in many trials on it, which is very easy to implement and effectively 
protect the maximum interest of the current operator. This service protects the 
enough security as well as provides the high data rate service to users. 
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Abstract In 1998 Cramer and Shoup published a remarkable public key encryption scheme 

and we mentioned that the scheme involves a large sizes ofseciel keys. This leaves 
an interesting problem whether one can reduce the key sizes of the original Cramer 
and Shoup's scheme [4]. We made the first step lopresent a variation by defining 
the keys of Cramer-Shoup's test function as c = g* and d = g* in 1999 [9]. 
Unfortunately, the variation scheme was subsequently broken by Borst, Preneel 
and Vandewalle in 2000 [2]. Lucky enough, we are able to provide a remedy of 
Zhu-Lee-Deng’s scheme in this short paper. 

Keyword: decisional Diffie-Hellman assumption, standard complexity model. Zhu-Lee- 

Deng's scheme 

1. Introduction 

Soon after Cramer and Shoup published a remarkable public key encryption 
scheme in 1998 [4], we mentioned that this public key cryptosystem involves a 
large sizes of secret keys. It is an interesting problem whether one can reduce 
the key sizes of the original Cramer and Shoup’s scheme therefore. We made 
the first step to reduce the key sizes of the original Cramer and Shoup’s scheme 
and presented a modification scheme by defining c = ^ and rf = jS' in 1999 
[9]. Unfortunately, the scheme was subsequently broken by Borst, Preneel and 
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Vandewalle in 2000 [2], Fortunately, we are able to present a remedy scheme 
in this short paper. 

To study the security of a newly developed cryptosystem, one could employ 
two standard models. 1) Random oracle model: In the random oracle paradigm 
setting, an ideaUy random and imaginary oracle, is assumed when one proving 
the security of cryptographic algorithms [3], A random oracle H generates an 
answer randomly to the query posted to H at first, if the same query is asked 
later, H will answer the same value as was provided to the first query. The 
main advantage using of random oracle paradigm is that it can much more 
easily provide concrete security analysis, which avoids complexity theory and 
asymptotic theory. In practice, a random oracle is replaced by a random-like 
hash function such as SHA. We remark that all known cryptographic algorithms 
provably secure in the random oracle paradigm are very efficient and hence 
meeting for the practical requirements. However one must be caution that the 
schemes provably secure in the random oracle model do not imply that the 
schemes are also secure in the real world; And 2) Standard complexity model: 
In this circumstance, the related cryptographic primitives are based on standard 
assumptions, such as factoring problem and discrete logarithm problem together 
with its variations, e.g., computational Diffie-Hellman assumption, decisional 
Diffie-Hellman assumption. Definitely this kind of security is encouraged both 
from the point views of the theoretical research and the practice. 

2. Notions and Definitions 

The security of a public-key encryption scheme is definitely related to the 
ability of adversaries and underlying assumptions. To define the ability of 
adversaries, three basic models are considered: 

-Semantic secure: a public key encryption scheme is said semantic secure, 
which is first mentioned by Goldwasser and Micali [6], if an adversary should 
not be able to obtain any partial information about a message given its cipher- 
text. 

-Secure against chosen cipher-text attack: a public key encryption scheme is 
said secure against chosen cipher-text attack (or lunch time attack or midnight 
attack), developed by Naor and Yung [7], if an adversary, who has access to the 
decryption oracle before a target cipher-text is given, is not able to extract any 
information of message. 

-Secure against adaptive chosen cipher-text attack (an equivalent notion 
called non-malleable security against adaptive chosen message attack [5]): a 
public key encryption scheme is called secure against adaptive chosen cipher- 
text [8], if an adversary, who has access the decryption oracle even after the 
target cipher-text is given and the adversary can query the decryption oracle 
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any cipher-text but the target cipher-text, is unahle to extract any information 
about the message. 

Our goal is to provide a public-key encryption scheme that is provably se- 
cure against adaptive chosen cipher-text attack in the standard intractability 
paradigm. The following notions and facts will be used to prove the security of 
our scheme. 

Computational indistinguishability: Two families of distributions and ^2 
are said to be computationally indistinguishable if no probabilistic polynomial 
time Turing machine distinguisher can decide which distribution it is sampling 
from with a probability of success non-negligibly better than random guessing. 

-Fact 1 : If 5 iand (52 are computationally indistinguishable and djj and ^3 are 
computationally indistinguishable, then ^ and rfa are computationaUy indistin- 
guishable. 

-Fact 2 : If and 82 are computationally indistinguishable, then ^ x <5 and 
J2 X ^ are computationaUy indistinguishable for any independent distribution 
6, where X • • • X rffc, the productive distribution, is defined to be a distribution 
on A;-tuples where the ith component is sampled according to the distribution 

<5i. 

The underlying primitive of our scheme is the hardness assumption of the 
decisional Diffie-Hellman problem. We therefore review the famous quadruple 
decisional Diffie-Hellman Problem below. 

-The distribution of random quadruple ^ where 

S 11321 **! **2 are uniformly distributed in G, where G is a large cyclic 

group of prime order q. 

-The distribution of quadruples (pi,S2»ui>W2) 6 where and 32 
are uniformly distributed in G while uj = and %i2 = computed form 
an r which is uniformly distributed in 

An algorithm that solves the quadruple Decisional Diffie-Hellman problem 
is a statistical test that can efficiently distinguish these two distributions. De- 
cisional Diffie-Hellman assumption means that there is no such a polynomial 
statistical test. This assumption is believed to be true for many cyclic groups, 
such as the prime sub-group ofthe multiphcative group of finite fields. To prove 
the security of our scheme, we also make use of the following Lemma, which 
is proved below. 

Lemma [ 1 ]: Two distributions defined below are indistinguishable under the 
sole assumption of the standard quadruple Decisional Diffie-Hellman problem: 

-The distribution il?** of any random tuple (ji ,u*)€G^, 

whereji,--- ,9^, and Ui, ■ • • ,Ufc are uniformly distributed in G®*; 

-The distribution of tuples (gi, ■ • ■ • •• ,«*) € where g\, 

■ • • , g* are uniformly distributed in G* while uj = gj , • • • , tt* = gj^ for an r 
uniformly distributed in Zq. 
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3. Our remedy scheme 

The original Zhu-Lee-Deng’s scheme is defined as follows (please refer to 
[9] for further reference): Let W be a family of collision free hash functions. 
Let C be a group of prime order q for which the discrete logarithm problem is 
intractable and let g be a generator of G. The private keys are given by a pair 
€ G. The pubhc key are (c,d)={^,g^). To encrypt a message m E G, 
the protocol goes as follows: 

• Choosing r € at random, computing u ~ ^ ,v ~ me’’, a = H(u,v) 
and 0 = The cipher-text is (u, 

■ Given a putative cipher-text (u, v, 0), computing a — H{u, v), and test- 
ing whether /? = (fu^ holds. If it does not hold, the algorithm out- 
puts reject', Otherwise the decryption algorithm outputs the message 
m = v/u®. 

Borst, Preneel and VandewaUe’s attack is succeed as the intermediate value 
a defined in our test function can be isolated. The remedy cryptosystem is 
defined below. 

-Key generation algorithm: Let p be a large safe prime {p = 2g -f- 1 and q is 
a large prime). Let G C be a sub-group of order q. Let H be collision-free 
hash function with output range 2^; On input 1*, the key generation algorithm 
chooses € Zp\{l] with order q, and w,X,y,z 6 Zq uniformly at random 
and computes g2 — j{‘', c = gf, d — g\ and h = gf. The output of the key 
generation algorithm is a public and secret key pair. The private key is denoted 
by (u»,a:,p,2). The public key is denoted by (51,521 c,d, A, H). 

-Encryption algorithm E: To encrypt a message m ^ Zp, the encryption 
algorithm chooses r € uniformly at random, then computes ui = g\ mod 
P, “2 = 07 modp, e = m/i’’modp, a — JJ(«i,U2,e) and v = (fcT® modp. 
The output (t»i , ti2 ) C) v) is defined the cipher-text of message m. 

-Decryption algorithm D\ Given a putative cipher (ui,U2i e,v), the decryp- 
tion algorithm computes a ~ H{ui,U 2 ,e), then tests whether the equations 
U2 = «(' mod p, and «*■*■*'“ = V mod p hold. If the both equations are valid, 
then the decryption algorithm outputs m = e/i^ mod p, Otherwise it outputs 
reject. 

The definition of security First, the encryption scheme's key generation 
algorithm is run, with a security parameter as input. Next the adversary makes 
arbitrary queries to the decryption oracle D, decrypting the cipher-texts of it 
choice. Next the adversary chooses two message fT^i, mi € Zp, and sends these 
to the encryption oracle E. The encryption oracle chooses a bit 6 € {0, 1}, 
at random and encrypts m*. The correspondent cipher-text is given to the 
adversary (the internal coin tosses of the encryption oracle, in particular 6, are 
not in the adversary's view). After receiving the cipher-text from the decryption 
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oracle, the adversary continues to query the decryption oracle, subject only to 
the restriction that the query must be different than the output ofthe encryption 
oracle. At the end of game, the adversary outputs K g {0, 1}, which is supposed 
to be the adversary’s guess of the value b. If the probabihty that 6 = bis 1/2+e, 
the adversary's advantage Adv{D) ;= v. We say a public key cryptosystem is 
secure against adaptive chosen cipher-text attack, if the adversary's advantage 
Adv{D) = c is an negligible amount. 

Theorem: The public key cryptosystem defined above is secure against adap- 
tive chosen cipher-text under thejoint assumption of decisional Diffie- Heilman 
problem as well as the assumption of the existence of colhsion free hash function 
H. 

Proof: Givenaquadruple(«/|,52>^>**2) which is either a random quadruple 
or the Diffie-Hellman quadruple, we want to construct a distinguisher D so 
that it is able to distinguish whether it comes form random quadruple or Diffie- 
Hellman quadmple with non-negligible advantage with the help of the adversary 
who is assumed to be able to break the pubhc key cryptosystem described above 
with non-negligible probability. We allow the adversary chooses two message 
mo,n»i £ Z^, and sends these to the encryption oracle described below. The 
encryption oracle chooses a bit 6 £ {0, 1}, at random and encrypts rr%. The 
correspondent cipher-text is given to the adversary. After receiving the cipher- 
text from the decryption oracle, the adversary continues to query the decryption 
oracle, subject only to the restriction that the query must be different than the 
output of the encryption oracle. 

The construction of simulator on input is described as follows: 

-Key generation algorithm KG\ \ Let G be a sub-group of prime order q. 
We chosen x\, X 2 , Vi, J/j, Zi, z-i 6 Z(^ at random and computes c = 
d = jf and h = The private key is (a:j,a: 2 >|/i. 1/2, Zita's) and the 

public key is , § 2 , c, d, h, H), where H is a collision free hash function with 
output range 

-Encryption oracle £ 1 : Given (5i,p2i^S,u*2)»ni0 and mi, it chooses a ran- 
dom bit 6 € {0, 1} uniformly at random, and then computes d = m{,u'i‘«'|*> 

a' = fr(u'i,u' 2 ,c')andu'=u'i''''®'" The output of J?iis the cipher- 

text (u'i,o' 2 ,e',u') of message m®. 

-Decryption oracle Di: Given a putative cipher-text (t/i,u^ 2 , e', w'),it com- 
putes o' — H{u' \,u' 2 , e')i and tests whether = v', if this 

condition does not hold, the decryption algorithm outputs reject; otherwise, it 
outputs nii, =e'/ti'i‘u' 2 * • 

we consider the following two cases: 

Case 1: If ( 51 , 32 ,^ 1 , ^ 2 ) ^ random quadruple. We want to show that 

there is no information leaked . In fact, our simulator is the same thing as the 
simulator of Cramer-Shoup’s pubhc key encryption scheme [4]. With the same 
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argument as the Lemma 2 in [ 4 ], we know that when the simulator' s input is a 
random quadruple, the distribution of the hidden bit 6 essentially independent 
from the adversary’s view. 

Case 2 : If ( 5 i,<? 2 .UiiU 2 ) Diffie-Hellman quadruple, we want to 

show that the adversary's advantage on {KGi,E\,Di) is the same as that 
in £^2>-^2). which is defined below: 

-Key generation algorithm Let p be a large safe prime (p = 2 g-|-l and^ 

is a large prime). Let G C 2 p be a sub-group of order q. Let H be colhsion-free 
hash function with output range Zq ', On input 1 *, the key generation algorithm 
chooses g[ g Zp\{l} with order q, and ti>, y, z G. Zq uniformly at random 
and computes Q2 = gf, c — pf, d = g\ and h = Pj. The output of the key 
generation algorithm is a public and secret key pair. The private key is denoted 
by (w,x,y,z). The public key is denoted by (gi,g2,c,d,h, H). 

-Encryption algorithm E^: To encrypt a message 6 Zp, the encryption 

algorithm computes e* = m^Uj* modp, a' =■ and o' = *' 

modp. The output ,v') is defined the cipher-text of message fTTft. 

-Decryption algorithm D2'. Given a putative cipher {tij, u^, e', o'), the de- 
cryption algorithm computes = /f(u'|,U3,e'), then tests whether the equa- 
tionsu^ = modp, and Uj *'*’*'“ =o'modphold. If the both equations are 

valid, then the decryption algorithm outputs t 7 % = P< Otherwise it 

outputs reject. 

We show that the two games (KGi,Ei,D[) and (KG^, E2,D2) 3ie equiv- 
alent up to the point where any invalid cipher-text can be rejected except for a 
negligible amount according to the following argument. 

Indeed, since the decryption algorithm in game (KGi, E^, D2) knows the 
trapdoor information w = lo^ /i, we can assume that (yi,S2iUti W2) is always 
from the Diffie-Hellman quadruple. As the decryption algorithm in the game 
(i^Gii is able to reject any invalid cipher-text except for negligible 
amount (the same argument as Lemma 1 presented in [ 4 ], where a cipher- 
text (oi,U2i Cl v) is called valid if = Xogg^u^), it follows that the two 

games are equivalent up to the point where an inv^id cipher-text is not rejected 
(however, the probability that this happens is negligible). 

Furthermore we show that the adversary's advantage in game{KGi,Ei,Di) 
andingame(A’G2,£b. i^ 2 ) 3 re same. Indeed, the adversary’s attack is restricted 
to adaptive chosen valid cipher-text attack to the game {KGi , Z?i)andto the 
game (KG2,E2,D2). The distribution of valid cipher-texts (uj, Uji 6 *, v') in 
game{ifGi,£i, £?l) is denoted by while the distribution of valid cipher-texts 
in game {KG2,E2,D2) is denoted by 62. Since ( 5 i,ff 2 iU'uU 2 ) 
is Diffie-Hellman quadruple, it foUows that (ffi,g2, is the Diffie- 

Hellman six-tuple generated by game [KG2,E2, D2) while (gi,g2,h, 
u'i*i is the Diffie-Hellman six-tuple generated by game (KGi, E\, D\) 
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according to the lemma presented in section 2 . Consequently the distribution 
is statistically indistinguishable to the distribution 4- It follows that the 
adversary's advantage in game KG\, B\, D\) differs from game {KG2, E2, 
Di) at most by an negligible amount. 

Now we can build a distinguisher which is able to distinguish a random 
quadruple and the Diffie-Hellman quadruple with non-negligible advantage as 
follows. 

Given {51,921^1,02), we run decryption oracle of the simulator (KGi, Ei, 
Z>l), and the adversary will output abittf eventually. Iffc^ = 6, the distinguisher 
outputsabitl indicating (51,52, U(,U2) chosen from Diffie-Hellman quadruple, 
otherwise, it outputs 0 . By assumption, the adversary is able to guess the correct 
value b with non-negligible advantage. This immediately implies a statistical 
test distinguishing random quadruple from Diffie-Hellman quadruple. 

4. Conclusions 

We have presented a remedy scheme provably secure under the hardness 
assumption of decisional Diffie-Hellman problem as well as the existence of 
coUision free hash function H in the standard complexity model. We should 
point out here this scheme although defined over can be easily extend to 
be defined over a set of elliptic curves where the decisional Diffie-Hellman 
assumption is reserved. 
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Abstract Based on quantum computation, a novel quantum cryptographic algorithm that 
can be used to encrypt classical message is proposed. The security and the 
physical implementation of this algorithm are analyzed in detail. It is shown 
that the algorithm can prevent quantum attack strategy as well as classical attack 
strategy. There are multiple advantages in using the proposed algorithm, most 
important of which is that it can be implemented with the current technology. 

Keywords: cryptology, quantum cryptographic algorithm, quantum computation 



Introduction 

Quantum cryptography is of particular interest since the initial proposal of 
quantum key distribution in 1984 (Bennett 1984) and its experimental demon- 
stration in 1992 (Bennett 1992). Current investigations of quantum cryptogra- 
phy are mainly concentrated on there aspects: quantum key distribution (Ben- 
nett 1992 1989, Erkert 1991, Bennett 1992, Brandt 2(X)3), quantum secret shar- 
ing (Hillery 1999, Tyc 2002, Tittel 2(X)1) and quantum cryptographic algorithm 
(Zeng 2002, Boykin 2003). The goal of quantum cryptographic algorithm and 
classical cryptographic algorithm is consistent, i.e. to protect secret informa- 
tion or keep communications private. The difference between quantum and 
classic cryptographic algorithm is as follows: the former is based on quantum 
laws while classical cryptography is based on pure mathematic principles. With 
the vast progress made in quantum computation, the possible quantum com- 
puter poses a threat to the classical cryptosystem in principle (Nielsen 2000). 
For example, the powerful Shor's quantum factoring algorithms for factoring 
and discrete logarithm and quantum Graver’s searching algorithm are subtly 
designed according to the principle of quantum mechanics. How to devise an 
algorithm to resist quantum attacks is an important issue in data protection. 
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Fortunately, the currently proposed quantum cryptology is thought to be help- 
ful not only because the existence of the eavesdropper can be detected in the 
quantum situation but also because the non-orthogonal quantum states can’t be 
reliably distinguished (Nielsen 2(XX)). In this sense, to cope with the possible 
and powerful quantum computer, quantum cryptology is one of the best can- 
didates. In addition, an unconditionally secure algorithm in practical is also 
significant to the classic information protection. 

To our knowledge, there are still not many good and feasible quantum cryp- 
tographic algorithms proposed at the nowadays technology level. On the one 
hand, no classical algorithm to date is both theoretically secure and practical. 
On the other hand, even if the quantum computer comes true some day, it is not 
necessary and possible to transfer all the existing secret classical information in 
the form familiar to ordinary people into quantum information, nor does the pre- 
shared classical keys as long as the security can be guaranteed. From this point 
of view, in this paper we propose a novel and practical quantum cryptographic 
algorithm. 

1. Quantum cryptographic algorithm 

In the quantum situation, most algorithms are based on communicators pre- 
sharing quantum states, such as the EPR pair, which is impossible with the 
existing technology since quantum memory remains an open technology chal- 
lenge. Motivated by these, we present a novel quantum cryptographic algo- 
rithm. It requires communicators to pre-share four groups ofkeys. Encryption 
is implemented by quantum computation, which can be realized by current tech- 
nology. Because each encryption process is under the control of the key and 
the final ciphertext states are non-orthogonal, the eavesdropper cannot acquire 
fixed ciphertext without the keys, so eavesdropping attack is invalid, which is 
guaranteed by the no-cloning theorem in quantum mechanics (Wooters 1982). 
Similarly, the non-orthogonality of the ciphertext renders the Trojan horse at- 
tack strategy impossible (Gisin 2002). 

1.1 Encryption process 

Let us consider the encryption of the classical plaintext bit using the 
corresponding i** key element of each group ofkeys. If the keys are used up, 
reuse the pre-shared keys from the beginning. The detailed encryption process 
is as foUows. 

Step 1: Preparation. Alice prepares the quantum ancilla state accord- 

ing to the first group ofkey element fci, where fcj and are two key elements 
of the key pair in ki (For simplicity, in the context the i is left out). When 
the classical key element pair are 00, 01, 10 and 11, Alice prepares the corre- 
sponding quantum states |00), |01), 10} and |11), respectively. Provided the 
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classical binary message bit to be encrypted is TT%, Alice prepares the message 
quantum state |m) and generates the tensor product state jAjitjm) of the ancilla 
quantum state and the message quantum state. The result Q of this step is 

C| = {|fc[fcfm)|fc[,A;J,me{0,l}} (1) 

where {...} denotes a set. 

Step 2: ControUed-NOT operation. Ahce performs a Controlled-NOT op- 
eration ac- cording to the second group of key element The classical key 
elements 0 and 1 represent taking the first qubit and the second qubit as the con- 
trol qubit, respectively. The third qubit (message qubit) always acts as the target 
qubit. After processing Alice gets the result where Cfcj+ 1,3 

represents the Controlled-NOT gate with the ^5 -1- I qubit as the control qubit 
and the third qubit as the target qubit, respectively. Therefore, the resulting 
ciphertext states can be formulated as 

C2 = {ifc}fcfQm)|fcl.fc?,fc2,rne {0,1}} (2) 

where Om = |or)m = [(5o,fc»^i the subscript mdenotes 
the bit related to the original message bit. The third qubit in each state of Q 
is the original information qubit, but in each state of Q it is the result of the 
Controlled-NOT transformation and is no longer the original information qubit 
itself. 

Step 3: Permutation. The existing algorithms usually fix a qubit position to 
represent the private information qubit, which may pose threats to the security 
ofthe cryptographic system in some special cases. Actually, Alice can permute 
two qubits in the resulting state according to the third group ofkey element /j. 
If kz is 0, leave the state alone, otherwise swap the second and the third qubits. 
The set of the possible ciphertext states Q is given as follows 

C 3 = {{^ojtal^ifciam) +^i,k3|ftiamfci)}|fc|,*:?,/:2)*3,me {0,1}} (3) 

Ciphertext states in C 3 are different in form from those in C\ , the second and 
the third qubits of each state of C 3 may involve information about the message 
(plaintext), unhke those of C\ where the information about the plaintext is just 
confined to the third qubit. Thus the ciphertext space is doubled. 

Step 4: Non-orthogonahty. Up to now, the intermediate ciphertext states 
Alice obtained are orthogonal, which can be distinguished and aren’t suitable 
for propagating on the channel. To overcome this weakness, Alice carries out 
quantum computation on the ciphertext states in Q under the control of the 
fourth group ofkey element in order to make the final ciphertext states non- 
orthogonal. If the key element is 00 or 11, then leave the third qubit of state 
in C% alone, i.e. the third qubit remains in the state | 0 ) or |l); but if the key 
element is 01 or 10 , certain computation needs to be made on the third qubit. 
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When the key element is 01, Alice applies H gate to the third qubit and the 
resulting output state will be |+) if the input state is [0), or (— ) if the input state 
is |1). On the other hand, when the key element is 10, Alice applies ZH gate 
to the third qubit. The possible ciphertext states in Q obtained from this step 
can be expressed as 

C4 = {(i 5 oO,*< +^11, *4 

Thus, the whole encryption process conies to the end. Eq.(4) shows that the 
cipher-text states are non-orthogonal, and the message bits do not hide in the 
fixed position. Furthermore, the ciphertext space is doubled again. 

1.2 Decryption process 

The sequence of decryption process is right inverse of that of the encryption 
process. Because the above quantum operations are unitary, the decryption 
process can be completed easily under the guidance of the pre-shared keys. 

2. Security analysis 

Firstly, let be the linear combinations of all the possible quantum states 
with equal probability in the ciphertext setQ (t = 1,2, 3, 4), which corresponds 
to the bit. The density matrices can be easily calculated and the results are 
\^u){^u\ — density matrix of n ciphertext states |^) related to the « 

bits classical message is 



n 

<=1 

Eq.(5) demonstrates that the ciphertext is homogeneous and includes no 
plaintext information. Therefore, the proposed quantum cryptographic algo- 
rithm is perfect privacy. Secondly, different ciphertext states are undistinguish- 
able. One can calculate 



= (1 + v^)/16 (6) 

Eq.(6) explains that different ciphertext states are non-orthogonal. Due to the 
principle of quantum mechanics, the non-orthogonal states cannot be reliably 
distinguished. Our algorithm makes the ciphertext states non-orthogonal so that 
the ciphertext states are undistinguishable, which can prevent eavesdropping 
attacks. Thirdly, Trojan horse attack strategy gets no useful information (Gisin 
2002 ). 
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3. Physical realization 

The pre-shared four-group of keys can be realized by classical or quantum 
means. To guarantee the absolute security of the keys, one can employ quantum 
key distribution, e.g. BB84 protocol, which is now mature and commercially 
available (id Qucuitique). Encrypting procedure of the proposed algorithm is 
shown in Fig. 1 . In the figure, S\ , S 2 S 3 are three quantum switches under 
the control of k^, fca and respectively. When the element of hi is 0, Si 
switches onto 1, otherwise Si switches onto 2. When the element of hi is 0, 
$2 puts through 1, or else 2. When the element of fcj is 00 or 11, S 3 links to 2 
and when the element is 01 , S 3 links to 1 , or else 3. 




Figurv 1. Schematic for encryption by quantum cryptographic algorithm 

From Fig.l, one can see that the quantum cryptographic algorithm based 
on quantum computation only involves simple quantum logic gates, which 
can be realized physically easily. Furthermore, the message to be encrypted 
and the keys adopted while encrypting are all classical. The ciphertext states 
are directly sent to Bob through optical fiber chaimel or via air after all the 
encryption processes are finished by Ahce. Upon receiving the ciphertext state. 
Bob decrypts it in time and it is not necessary to store the quantum states. Most 
important of all, the algorithm can be realized with the existing technology and 
may have wide application with the quantum error-correcting technology to 
enhance its performance. 

4. Summary 

In this paper, a novel quantum cryptographic algorithm to encrypt the clas- 
sical binary bits is proposed. The security and the physical implementation of 
the quantum cryptographic algorithm are analyzed in detail. It is shown that 
the proposed algorithm can prevent quantum attack strategy as well as classi- 
cal attack strategy. The circuit of encryption in principle is suggested and can 
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be realized by the existing technology. Since there exists uncountable private 
classical information and it is impossible to transfer it into the form of quantum 
information even if the quantum computer comes true, the proposed algorithm 
is of much value. 
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Abstract A practical quantum key distribution network system based on stratospheric plat- 

form is proposed. And the feasibility of stratosphere quantum key distribution 
network is analyzed. As the length of the quantum communication channel in 
atmosphere has reached 23.4km. the proposed quantum key distribution network 
system has good prospects ofpractical applications. 

Keywords: quantum key distribution; quantum cryptography; stratospheric platform; quan- 

tum relay 

Introduction 

Since the first quantum key distribution (QKD) protocol was proposed in 
1984(BB84, Bennett et al 1984), quantum cryptography has received extensive 
research(Ekert 1991, Bennett et al 1992, Bennett et al 1993) as it provides uncon- 
ditional security for the obtained key and allows successful detection of eaves- 
dropping. Up to now, experiments show that transmission distance of quantum 
bits may reach 100km(optic.org 2003)in optical fiber and 23.4km(Kurtsiefer et 
al 2002) in atmosphere, which means that the practical QKD system become 
possible. Excited news is that some QKD products have been manufactured 
in Switzerland(News feature 2002). To practice the QKD in atmosphere, As- 
pelmeyer and his colleagues proposed a model to distribute quantum key based 
on satellites network by employing entangled photons(Aspelmeyer et al 2003). 
However, this way will not only burden high cost, but also be impossible ac- 
cording to the current technology. 

A more practical model of distributing quantum key in atmosphere is to 
employ the stratospheric platform according to the current technology. In the 
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proposed model we employ stratospheric platform as either a transmitter, or a 
receiver, or a relay station in stratosphere quantum communication (SQC), the 
situation will be different. Normally, a stratospheric platform is floated in a 
15km atmosphere hand above the ground. The cost to build up a stratospheric 
platform is far below it to launch a satellite. At the same time, it is convenient to 
maintain the equipments, and the communication environment is comparatively 
simple and stable, besides that it will never bring garbage into space. Recently, 
the experiment result of quantum communication distance of 23.4km means 
that SQC is quite feasible. 

In this paper, a practical model of QKD based on stratospheric platform is 
firstly proposed. The organization of this paper is as follows. First, some char- 
acters of stratosphere are introduced. Then, the architecture of QKD network 
based on stratospheric platform is proposed. Finally, the quantum communica- 
tion network based on optical fiber and classical communication network are 
associated with the QKD. It is shown that the scheme proposed in this paper 
has good prospects in practical applications. 

1. Feasibility of stratosphere QKD network 

The stratosphere normally located in 10-15km above the earth surface, lying 
between the troposphere and mesosphere (near45-50km altitude). Little mois- 
ture enters the stratosphere, so clouds are rare and violent storms don’t occur 
there. Thus the condition is favor of the transmission of entangled photons 
in atmosphere. The stratospheric platform we mention here usually prefers to 
the airship which is hghter than air. People can perform military scout, sci- 
ence researching ,wireless communication and weather survey by using such 
airshipfShields 2003). 

According to the characteristics of stratosphere and quantum communica- 
tion, we recently proposed a novel model called as SQC (Stratosphere Quan- 
tum Communication). The SQC exploits quantum communication equipment 
and other service load embarked on the stratosphere airship platform as com- 
munication relay station or communication terminal. By exploiting the SQC 
communicators may communicate information such as obtaining quantum key 
among SQC stations and ground quantum communication (GQC) station via 
quantum channel or hybrid channel combining qucuitum channel with classical 
channel. Since the stable atmospheric properties of stratosphere and the strato- 
spheric platform is only about 15km above the earth's surface. In addition, 
the quantum communication within 23.4km distance in experiment has been 
realized. Stratosphere QKD network is feasible. 
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2. Models of QKD network 

To realize the QKD network based on stratosphere platform, we first give 
some typical models of QKD network, which mainly include end-to-end QKD 
system, star-network of QKD, arbitrary QKD network and global QKD network. 
During our explanation of stratosphere QKD network, a famous QKD protocol, 
called as EPR protocol(Ekert 1991), is used as an example. And polarization- 
entangled photons will be employed here as the source of communication, which 
can be denoted as follows: 

W = (1) 

where subscripts o, b denote Alice and Bob’s particles in the same EPR pair.] 'f 
)and I f) are the possible states they maybe. 

2.1 End-to-end QKD system 

An end-to-end QKD system is shown in Fig.l. Either a SQC station or a 
GQC station can be a transmitter and the other will be a receiver. 

A transmitter, say, Alice, includes a photon source for emitting pairs of 
spin' /2 particles in a singlet state. The transmitter holds one photon of the 
entangled pair and make the other fly apart towards the receiver. Bob. Alice 
and Bob select the orientation of detectors randomly and independently for 
each pair of incoming particles. The results of their measurement are either 
-hi or -1. which means spin up or spin down, and this can imply one bit of 
information. After the transmission has taken place, Alice and Bob announce 
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'Stratosphere Quantim^ 
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Figure 1. End-IO'Cnd QKD system 
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publicly the orientations of the analyzers they have chosen, as stated by Ekert. 
The measurements are divided into two separate groups by Alice and Bob: a 
first group for which they used different orientations of their detectors, and a 
second group for which they used the same. They discard all the measurements 
in which either or both ofthem failed to record a particle at all. 

Subsequently, Alice and Bob can reveal in public the results they got but only 
within the first group ofmeasurements, which makes it determined whether the 
results ofthe second group owned by Alice and Bob are anticorrelated and can 
be converted into a secret string of bits or not. This secret string ofbits is the 
so-called secret key, which can be used to perform secure communication. 

As the process is fulfilled by physical means and is protected by the complete- 
ness of quantum mechanics, the eavesdropper cannot get any information from 
the particles during the transmission and his disturbance will be successfully 
detected. 

Also, Alice and Bob can transfer entangled photons to each other so as to 
build up one or more quantum channels to perform QKD protocols. Such a 
QKD system is the most simple model in stratosphere QKD network. 

2.2 Star-network of QKD 



Strato^ibw* ^ ^2 




Figure 2. Star-network of QKD 

A little more complicated network is shown in Fig. 2, which is called star- 
network of stratosphere QKD. Any quantum communication station can be a 




Practical Quantum Key Distribution Network 



205 



center node, so it can distribute entangled photons to any other nodes, including 
SQC stations and GQC stations, to set up a star-network of SQC. 

Such a network can easily perform entanglement-based QKD protocols. 
Center will be a resource which is responsible for producing entangled photon 
pairs. Center distribute entangled particles to the legitimate users respectively, 
say, Alice and Bob. Then Ahce and Bob choose the orientation randomly while 
detecting the incoming photons. They aimounce their results of measurement 
by classical stratospheric communication means, and deduce the secret key to 
complete encryption and decryption. 

The star-network allows to perform QKD among multi-user. But it also 
has a disadvantage that once the center is unavailable, the network is hardly 
to proceed any quantum communication.With existing technologies, the above 
two QKD systems can be realized in practice. 

2.3 Arbitrary QKD network 




Figure 3. Arbitraiy QKD network 

If relay technologies are adopted here, an arbitrary network of stratosphere 
QKD can be built up, as shown in Fig. 3. The relay technologies mainly contain 
quantum teleportation, quantumpurificationandquantumswapping. Withrelay 
technologies, any node in network can be used to carry either a transmitter of 
entangled photons, or a receiver, orarelay station to distribute photons to further 
locations, which will permit different applications, but the relay module only 
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redirects and/or manipulates qubit states without actually detecting them. The 
required shared entanglement can be established either by two downlinks or by 
using additional stratospheric platforms. For example, SQSl sends one photon 
of an entangled photon pair to Gla and sends the other to SQS2. SQS2 sends 
one photon of an entangled pair produced by himself to G2, but keep down the 
other. Then SQS2 performs a Bell-state measurement on the two independent 
photons, of which one is kept down by SQS2 and the other is received from 
SQSl. The result of such measurement leads to that the two photons, one 
owned by Gla and the other owned by G2, become a new entangled photon 
pair. Subsequendy, Gla and G2 may use the entangled photons to perform EPR 
protocol. 

2.4 Global QKD network 



Strwoaher* 




Figure 4. Global QKD network 



The most aggressive quantum QKD network is shown in Fig.4, in addition, 
the quantum network based on opdcal fiber and classical communication net- 
work are involved in such network. Some desirable attributes in the QKD 
network are safe management of keys, quantum authentication, efficient trans- 
mission ofkeys and robustness etc. Furthermore, such QKD can be integrated 
with IPsec so as to secure internet traffic, which has been stated in detail by 
Chip Elliott(Elliott 2002). 
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3. Implementation and applications 

The realization of stratosphere QKD network depends on the technology of 
stratospheric platform. As stratospheric communication has many advantages 
compared to satellite communication, such as that its cost is relatively much 
lower, the maintenance is simple and convenient and it is in favor of environment 
protection. United States, Europe and Japan have invest much into the study 
and research of stratospheric platform. Once stratospheric platform can be 
practicaUy performed( which is anticipated to be at the end of 2005) and is in 
wide use, our scheme is undoubtedly more feasible than the idea to distribute 
entangled photons using satellites. And the performance of stratosphere QKD 
network is also related to the weather condition. We are now studying some 
related problems and getting along. Moreover, relay technology should be 
required in order to form a wide-scale network, in which researchers have also 
made breakthroughs recently(Marcikic et al 2003,Grosshans et al 2003, Pan et 
al 2003)With the above conditions, stratosphere QKD, quantum authentication 
and quantum secret sharing can be performed. If stratosphere QKD network 
is combined with quantum communication network based on optical fibers 
and internet or other classical communication, a global secure communication 
network can be carried out. 

4. Summary 

Based on stratospheric platform, the architecture of a practical QKD network 
is presented here. It is shown that in good weather condition, the stratosphere 
QKD scheme is feasible and practical. And if we combine the stratosphere 
QKD network with optical quantum communication network and internet or 
other classical communication means, a global secure communication network 
can be implemented. 
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Abstract People pay more attention to the security issues ofthe P2P Network, and propose 
different secure settlements to different applications. In this paper, we begin 
with studying the features of P2P Network, analyze the secure issues of the 
P2P Network, and estabhsh the hierarchical division of P2P Network. We also 
analyze the secure issue according to the hierarchical division. In the end of this 
paper, we analyze the shortness of the existing security technology being used in 
the P2P Network apphcations, and give out the P2P Network security research 
orientation and tendency 
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1. Introduction 

The P2P Network and its applications are the focus ofthe network application 
researches at this moment. Since Napster in 2000[2], people developed different 
apphcations soon afterwards. Like other network applications, the secure issue 
becomes the core issue that P2P Network has to be resolved. Although in 
SETI@home [5] the node assessing means was employed, some nodes have 
has been discovered to deceive in the system, and this also causes entire system 
security to be intimidated. People use different secure schemes according to the 
different secure demands. Most existing security settlements use the common 
security technology as reference, such as like PKI, SSL[1 1], yet the consummate 
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secure settlement has not been proposed aimed at P2P Network. There is chiefly 
short of completely and systematic knowledge of the P2P Network security 
issue. 

To the best of our knowledge, researches on security issues ofP2P Network 
focus on the concrete application. And there is lack of the security definition 
and consideration of P2P Network as a whole. Here we analyze the security 
issues ofP2P Network from the point ofview ofprotocol stack. We also point 
out the security issues in different layers and the security settlements. 

This paper introduces the basic concepts of the P2P Network and its security 
issues. The concept of security hierarchical layers of the P2P Network in Ch2 
is proposed. And we the security settlements of existing system beginning with 
the analyzing of the security demand of different applications in Ch3 sum up 
are summed up. Ch4 analyze the security issues faced in different layer, the 
existing security hidden trouble and probable attack measure. In Ch5 the focus 
of research in the P2P Network and development tendency are pointed out. 

2. Basic Concepts 

2.1 The P2P Network 

2.1.1 DeHnition of the P2P Network. A concept which network is 
the P2P Network should been bounded firstly. There are some definitions 
such as [1]. These definitions represented in the P2P Network nature through 
distinct aspects. Here we may sum up some substances that the P2P embodies: 
resources and network node are situated in the network fringe, the node has 
both client and server capacity, the node has independence address means are 
independence to DNS, communicating with each other immediately. 

We will sufficiently consider these distinguishing features ofthe P2P's Net- 
work at the analysis ofthe P2P’s Network security issues. 

2.1.2 The P2P Networking Protocol Stack. The P2P Network is the 
virtual network establishing on the basis of available network. Comparing with 
the traditional network application we think that the P2P's Network is hierarchy. 
Here are the functions and definitions of each layer ofthe P2P Network. 

1) Coimection layer: the orientation ofthe resources and message ofroute 
are provided in this layer. There are three main kinds ofrealization methods of 
connection layer at the moment: 

• Centrahzation: This type of network takes Napster as representative. All 
searching ofnode and resources is wholly starting from the server. 

• Network of discrete structure: No central server is used to register the 
resources places, but it has a steady structure. Concrete representative consists 
of: Chord [14 ], and Tapestry [15 ] 
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• The network of discrete non-structuring: the topology of the nodes is 
configured, and the time when the node joins and leaves the network is not 
fixed. JXTA is such a type. 

2) Service layer 

This layer mainly consists of the operation interfaces from the consumer to 
the resources, which we called service here. This layer provided service of 
relevant functions to application layer. These services can be divided into the 
core service and the ordinary serve. 

3) Application layer 

It is manly consisted of concrete the P2P application. P2P application should 
provide reasonable interface that is used for users to manage and fix the network, 
and the answer process to event and operation. 

2.2 The P2P Network Security 

2.2.1 Definition of Security. Security itself is very wide in range, and it 
embodies the idea of the reliability of system, degree of trust and fault-tolerance. 
Security is a layer concept and the layers is corresponding to the hierarchy of 
the P2P Network. Here we give the security definition in each P2P layer: 

Definition 1: Security ofthe connection layer may be expressed: 

P(S)=F(n,f,h); 

Here P (S) is security ofthe connection layer, and n is the method to define 
the name space, and F acts as the mapping algorithm, and h is the reliability 
hypothesis ofthe connection layer. 

Definition 2: the security of service layer is the security of the security 
service. 

That service security is different according to the different security service 
chosen by the application. 

Definition 3: The security of application layer is chiefly meeting of secure 
demand to the system. 

Whether meeting the secure demand of a system is the significant judge 
criterion ofthe security of application layer and even of entire system. 

Researching the security of the P2P Network from these three layers is our 
main standpoint. 

2.22 Research Methods of the P2P Network Security . The P2P 
Network is a network system essentially .The research means can lean from 
what is used commonly to a network system. We wiU analyze the existing 
P2P apphcations using the two methods separately, finding out the resolution 
element and settlement scheme. 

1) Begin with the security demand, and mapping the demands to each layers 
,and complotting security functions in each layer, and guaranteeing the system 
security as whole. 
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2) Beginning with analyzing the secure hidden danger of each layer, and 
providing pertinence modification means that these two methods are the most 
common methods used in system's security design. 

3. Secure Demands Analysis of the P2P Network 

3.1 P2P Computing 

The P2P computing is the applications in which the CPU clock is shared. 
In the P2P computing the task is decomposed into subtask being finished in 
different nodes, by which the resource in the fringe can be used. The P2P 
computing is a kind of distributed computing on nature. Representative ness of 
P2P computing is SETI@home,Megi[13]. 

Here we may divide the P2P computing to such several implementations 
step: The mission formation, mission decomposition and mission distribution 
and result referring. 

We sum up the security demand from the item mentioned before: 

1) To the code protection .The correctness, completeness and non-deny 
should been guaranteed in the process of subtask publishing. 

2) The two-way authentication be carried on between the nodes . When 
completing a task, we should trace the situation of the completing. 

3) To node protection . This is required that the nodes participate in the P2P 
computing should not been suffered with the security hidden danger. 

4) To the result protection . The subtask is completed and the result referred 
to is safeguarded 

5) To the mutual information protection . When the mutual information 
exists, it should been guaranteed. 

3.2 Cooperation Computing 

Cooperation Computing is the most popular P2P application .The most fa- 
mous Cooperation Computing in P2P Network is Groove and Avaki. Their 
emphasis on different places: the Groove is chiefly used in the business limit, 
consisted of the file sharing and corresponds forthwith and white-board com- 
munication and so on ; The Avaki chiefly provide supplies to the moving code 

The Groove proposes relatively the integrated secure settlement scheme. In 
the Groove, the concept of security sharing room is inducted. The sharing files 
and programs are included in the security sharing room. 

The Cooperation Computing deal with the resource sharing between users, 
so the access control issue should be settled mainly. Concretely included: 

1) role based access control mechanism. Frequently a resource is determined 
whether or not to be accessed by user, according to the role of the user. 
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2) separating Consumer , node and resources . This is because the same 
user can access the resources from different node. 

3) authentication mechanism based on user’s attribute. In Cooperation Com- 
puting people are concerned about frequently is that the man with which attribute 
can participate in the work, and not what man he is. 

4) people in distinct organization and areas may carry on the authentication 
reciprocally . By this user can get consistent authentication through different 
fields. 

3.3 File Sharing 

File sharing is the original designing intention of the P2P Network.There are 
two main types of this application. One is aiming at the exchanging file, the 
other is aiming at the making anonymous publish. Among these two types, the 
latter type has more security demands including: 

1) Guaranteeing that the transforming file is integrated and secret 

2) Guaranteeing that the file can not be forged 

3) Guaranteeing that the file can not be tampered 

4) System has the ability of auti-tracing and auti-auditing 

5) Publishing is transparence to users 

4. The P2P Network Security Hidden Danger and Attack 

4.1 Connection Layer 

The main functions of the connection layer consist of resource searching, 
locating and routing. It is the base of the whole P2P Network. The routing 
arithmetic is composed of: naming space of resource, addressing space of 
nodes, mapping arithmetic from naming space to addressing space. 

4.1.1 Distributing of the Space. There are three kinds of distributing 
arithmetic which all have security issues. Here we mainly find out the hidden 
security danger and countermeasure. 

1) Distributing the address of the resources and nodes completely randomly 
Completely random distributing method is the common way used by many 

P2P researching. This may create some hidden danger. The misfeasor node 
may choose a certain number as its serial number. He can even choose the 
number of other certain resources, by which he may imitate someone. 

2) A solution is to get the serial number form CA node using encryption. 
This solution makes the certificate bound to a node. This method is a direct 

enlargement of PKI. Of cause CA may bring the extendibihty of system, and 
may single node failure issue. All of issue should been solved when using this 
method. 

3) Another method is to using the public key directly 




214 



PROGRESS ON CRYPTOGRAPHY 



The creation of the public key is stochastic, so the node can get the serial 
number at the same time, which do not need certificate from CA. this method 
solve the extendibility issue of using CA. 

4.1.2 Mapping from Resource to Address Space. There are two 
mainly mapping arithmetic. One is based on the hypothesis that the network 
architecture is discrete structure. This arithmetic includes CAN, DHT, Pastry 
and so on. This arithmetic can get high resource searching efficiency. The other 
is based on the hypothesis that the network is discrete unstructured. Both of 
these two methods use the idea ofDHT. 

Now the security of the DHT is researched by [16]. The main opinions of 
these researches are: 

1) Securityof the DHT 

The research of this field is based on the archives of Morris. He proposed 
the framework of enhancing the security of the P2P Network. He viewed the 
job of creating, maintaining the routing table and node searching as security 
task. He gave the potential attack to the P2P Network. But he only gave the 
qualitative conclusion. Wallach[18] provided a deeper conclusion. And he 
made the improvement of DHT. Using this method he can guarantee that if 
there are less 30% hostility node in the network, the 99% routing message can 
arrive correctly. 

2) Researching on the type of attack 

People find out many attack against the routing arithmetic such as DOS , 
Byzantium attack and Sybil attack. [22] analyze the reason why this attack 
raises and the different attacking form in every conditions. And [22] draw the 
conclusion that it is very difficult to guarantee the security of the ID. 

3) Analyzing security of the application 

Bellovin[21] analyze the security issue faced by Napster and Gnutella[10]. 
This security issue is caused by the PUSH operation of GnuteUa. This operation 
can step through the firewall. Someone can create DOS attack using is operation. 

4.2 Service Layer 

The security ofservice layer is mainly pointed to the security of the security 
service provided in the P2P Network. The mostly used security service is 
authentication based on certificate. Another important secure issue is how to 
establish the security point. Security point is the interface referring the security 
issue. In the process of implement a P2P Network, establishing the security 
point is an important issue. 

4.2.1 Security Service Protocol. The security service protocol is based 
on the certificate, so the core issue in P2P Network security is the management 
of certificate. 
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The security issue of SSL protocol has been study deeply. Now we consider 
the security issue of SSL in the P2P Network. 

The existing methods of getting and validating certificate include: 

1) Based on CA: In the P2P Network, this method has the expandability issue 
and the cost using this method is very high. This situation does not fit the design 
of the P2P Network. 

2) Getting certificate from itself: That is every node can give certificate to 
itself. This method mainly refers to the issue of validating and managing the 
certificates. 

At present using and managing certificates are difficult issue to be solved in 
P2P Network. 

4.2.2 Establishing the Security Point. Now the main method to define 
the security point includes: 

1) Single security point: This system always has little special security de- 
mands. Security point is established where users log in. And other systems 
have default authentication. 

2) Multi-security point: This system establishes multi-security point accord- 
ing to the system’s demands, such as megi, which establishes two security points 
in communication layer and user authentication. 

How to establish the security point is different according to each application. 
One should firstly guarantee that the security point can not been run around. 
And many hidden danger is caused by this mistake. 

4.3 Application Layer 

The security of application layer chiefly is meeting of secure demand to the 
system. Here we consider the security of application layer as the code security 

At present there is less research on code security in P2P Network. This is 
because it is difficult to validate the security of code itself, and many project 
solve security issue in under layer, the up layer only complete mutual operation 
with users referring to little security issue. 

5. Conclusion 

We can view from the feature of P2P Network that its security issue is similar 
to other network applications. Some common security settlements have good 
effect in the P2P Network. 

Leaning from the current research, we can draw the conclusion that trans- 
form between fields and standardization are the most important issue to be 
solved. Transform between fields in P2P Network refers to in different fields 
the authentication and access control method can be understood each other. An 
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effective method to solve the issue is standardizing the protocol. At present we 
can lean form the trust management system and Globus standard protocol. We 
think this work may make deep influence in P2P Network. 
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Abstract Defense against distiibuted denial-of-service attacks is one ofthe hardest secuiity 
problems on the Internet. Among those problems, the most difficult problem is 
to trace the attacks back to its origin for the attackers always use incorrect or 
spoofed IP addresses in the attack packets. In this paper, we propose a multi- 
edge marking scheme, which allow the victim to traceback to or near to the 
origin of the attackers with the help of the network administrator. The scheme 
features high performance efficiency and no false positive. Compared with the 
previous solutions, it has high precision and low computation overhead for victim 
to reconstruct the attack paths. Base on this marking scheme. DDoS Scouter is 
developed. 

Keywords: DDoS attacks, IP traceback, packet marking 

1. Introduction 

With the wide deployment of Internet, security problems become the ex- 
treme threat to the Internet society. Due to the stateless and destination IP 
address routing natures of Internet, the Denial of Service attacks (DoS) are the 
most reported one among the security problems. A denial-of-service attack 
(DoS) aims at denying a victim (host, router, or entire network) providing or 
receiving normal services in the Internet. Distributed denial-of-service attacks 
(DDoS), typically conducted by flooding network links with large amounts of 
traffic(which is the focus of the paper), consume the resources of a remote host 
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or network, thereby denying or degrading service to legitimate users. Such 
attacks are among the hardest security problems to address because they are 
easy to implement, difficult to prevent, and very difficult to trace. 

In general, there are two types of flooding attacks: direct attacks and reflector 
attacks. In a direct attack, an attacker arranges to send out a large number of 
attack packets directly toward a victim. Attack packet types can be TCP, ICMP, 
UDP, or mixture of them. Before launching a direct attack, an attacker first 
sets up a DDoS attack network, consisting of one or more attacking hosts, a 
number ofmasters or handlers, and a large number of agents. The attacking host 
is a compromised machine used by the actual attacker to scan for vulnerable 
hosts and to implant specific DDoS master and agent programs. With an attack 
network ready, the attacking host may launch a DDoS attack by issuing an attack 
command with the victim’s address, attack duration, attack methods, and other 
instructions to the masters. Each master, upon receiving the instructions, then 
passes them to its agents for execution. A reflector attack is an indirect attack in 
that intermediary nodesfrouters and various servers), better known as reflectors, 
are innocently used as attack launchers. An attacker sends packets that require 
responses to the reflectors with the packets’ inscribed source addresses set to 
a victim's address. Without realizing that the packets are actually address- 
spoofed, the reflectors return response packets to the victim according to the 
types of the attack packets. As a result, the attack packets are essentially 
reflected toward the victim, and the reflected packets can flood the victim' s link 
if the number of reflectors is large enough. 

Because the results of DDoS attacks are serious financial disaster to the vic- 
tim, many research which are aimed at pre- 

venting the DoS/DDoS attacks, have been obtained in the research field. They 
can be divided into three lines: attack prevention and preemptionfbefore the 
attack), attack detection and filteringfduring the attack) and attack source trace- 
back and identification (during and after the attack). 

Although, it is infeasible to use IP traceback to stop an ongoing DDoS attack, 
it could be very helpful in identifying the attacker and collecting evidence for 
post-attack law enforcement. 

Among the above techniques, attack traceback and identification has been 
much considered recendy. It can usually be carried out after or during a DDoS 
attack. IP traceback refers to the problem, as well as the solution, of identifying 
the actual source of any packet sent across the Internet without relying on 
the source information in the packet. Up to now, there are generally two type 
approaches to the IP traceback problem. One is forrouters to record information 
about packets they have seen for later traceback requests'^’'*', named logging. 
Another is for routers to send additional information about the packets they have 
seen to the packets' destinations via either the packets’^ '^’ or another channel, 
such as ICMP messages’"^'. 
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In Bellovin's proposed ITRACE scheme, routers, with a very lowprobabiliW, 
send ICMP messages to the destinations ofpackets they havejust forwarded’"^. 
For a high-volume flow, the victim will eventually receive ICMPs from all ofthe 
ri'KACE routers along the path back to the attackers, revealing its location. Sav- 
age and colleagues proposed a different scheme, in which routers with consid- 
erably higher probability mark the packets they process with highly compressed 
information that the victim can decode in order to detect the edges traversed by 
the packets, again enabling recovery of the path back to the attacker’^'. How- 
ever, the scheme runs into computational difficulties as the number of attackers 
increases. This problem is addressed by Song and Perrig by supplementing 
the scheme with the use of network topology maps*'^’. Recently, Snoeren and 
colleagues developed a Source Path Isolation Engine(SPIE) that records sets 
of hashes of packets traversing a given router'^'. A victim can then locate the 
path of a given packet by querying routers within a domain for the set of hashes 
corresponding to the packet, providing that they issue the query soon enough 
after the packet was transmitted that the record ofits presence is still available. 
SPIE has a major advantage in that it can facilitate traceback of even low volume 
flows. 

There is a dilemma in designing the IP traceback scheme: time and space 
requirements. Among the above systems, the logging related schemes are said 
not practical because the storage requirement of the router is too high; the 
marking related schemes have the disadvantages ofhigh time consumption in 
marking packets collection and attack paths construction. 

In the victim’s view, the quick response to the attack is much more desired. 
However, in order to reduce the marking space requirement, the well recog- 
nized schemes proposed in^^' deployed some code techniques which led to the 
inefficiency in packet collection and attack path reconstruction, especially for 
DDoS attacks. The direct result is that the victim has to endure longer attack. 

To make the IP traceback technique more practice, it is necessary to make a 
tradeoff between the time and space requirements. In this paper, we proposed an 
on-demand probabilistic multi-edge IP marking technique to do IP traceback. 
It is designed that the marking enabled router only doing marking when it 
receives the marking instruction from the network administrator. In the scheme, 
the record route IP option is used to mark the router' s(by which the packet is 
forwarded) IP addresses. In the record route IP option, several IP addresses can 
be recorded. So, an attack packet can carry a segment of the attack path with 
which it can improve process ofthe attack path reconstruction greatly. 

Based on the proposed IP traceback technique, DDoS Scouter system is 
designed to prevent the DDoS attacks. The system consists of attack detection, 
IP traceback and packet filteringfintelligent packet filtering using the traceback 
scheme will be studied in the other paper). 
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The rest of the paper is organized as follows. Section 2 proposes the basic 
and authenticated multi-edge marking and traceback algorithms. In section 3, 
the DDoS Scouter system is presented. The testing results of the system is 
described in section 4. In section 5, some problems of the system are discussed 
and it is concluded in section 6. 

2. Multi-edge marking 

Keeping in mind that the IP protocol should not be modified or just little 
modification should be made when an IP marking scheme was designed or 
developed. In addition, the designed or developed system should not add too 
much process burden to the routers, which would lower the performance of the 
routers. It is also noticed that, without the help ofthe network administrator, it 
is very inefficient and difficult for the victim to do the traceback. 

2.1 Record route IP option^^^ 

The record route option provides a means to record the route of an Internet 
datagram. The option type is 7. A recorded route is composed of a series 
of Internet addresses(see Table I). For the record route IP option is designed 
for network control use, it is seldom used in today's Internet. In the Multi- 
edge marking scheme, we make use ofthe IP option to marking the routers' IP 
addresses through which the packets traverse. This requires no changes to the 
IP protocol. Record route option is not copied on fragmentation and goes in 
first fragment only. It appears at most once in a datagram. 

Table L The data format of record route IP option 



OOOOOtl 


length 


pointer 


route data 



For the maximal Internet header is 60 octets, the record route IP option header 
is 3 octets, a typical internet header is 20 octets'^', and if there are no other IP 
options in use, the maximum number of IP addresses that the record route IP 
option can contain is 9(= (60 - 20 - 3)/4). 

2.2 Algorithm 

The multi-edge marking is to append adjacent segment attack path to the 
record route IP option ofthe packet as it travels through the network from the 
attacker to victim. Unlike the node append proposed in'^’'^', the algorithm 
is a probabilistic based and does not append the routers' IP addresses to all 
packets. Because of the limited space in IP header, it can not mark all the 
routers' IP addresses into the record route IP option if the attack path is longer 
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than 9. Here, we propose to mark the packet probabilistically. When a marking 
enabled router forwards a packet destined to the victim and the packet’s record 
route IP option is not opened, it determines probabilistically whether or not to 
open the record route IP option of the packet to do marking. If it decides to 
open the option, it appends its IP address to the record route IP option. If a 
packet destined to the victim, the packet's record route IP option is opened and 
the number of the appended IP address is less than 9, it appends its IP address 
to the record route IP option. 

After the victim collects enough marking packets, it uses the multi-edges 
sampled in these packets to create a graph leading back to or near to the source 
or sources of attack. Figure I depicts the full marking and attack path recon- 
struction algorithms. 

Marking procedure at router R: 
for each packet w 
if destination of u> is victim then 

if record route IP option is set on then 
if the record route number < 9 then 

append R into w.record router IP option 
endif 
else 

let X be a random number from [0,1] 
if I <p then 

set the record route IP option on 
append A into w.record router IP option 
endif 
endif 
endif 

Path reconstruction procedure at victim t>: 

let NodeTable be an empty diagonal matrix, which element is of tuples nt{node, count) 
for each path scgmenl(Hi, Hi, - ■ - < r» < 9) of attack path in the attack packet 

for each router (ili.ilj, - • • , Hn, 1 < n < 9) 
if R, is not in the column then 
add R, into the diagonal matrix 
set r»t(H,-i,il,) andnt(il,,i?<+i) he (1,1) 
else 

increase , R.). count, nt(Ri,iZi+i). count by 1 

endif 

draw the attack path according to the NodeTable established. Ifnt(R.,Rj).node = 1, 
Ri and R, are connected directly 



Figure 1. The multi-edge marking and path reconstruction algorithms 

The marking algorithm depicts in Figure 1 is named uncovered marking, 
which means that the marked IP address can not be covered by the later router. 
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This would lead to the further the router to victim the less probability that 
the router's IP address is marked. The marking algorithm can be modified to 
covered marking, i.e. when the IP option is full and there is another router want 
to mark its IP address, the very first IP address will be shifted out to give the 
space for marking the new comer. 

If we consider the DDoS attack as propagating in a tree T, where the root 
of the tree T is the victim, each internal node in T corresponds to a router R 
on the Internet, and each leaf in T is an attack host. Our goal in the traceback 
problem is to identify the internal nodes ofthe tree T and to draw the tree. For 
the marked packets take the sequential segment ofthe path through which the 
packets pass, the victim need not to determine the location of each router(IP 
address) on the path. It just need to draw a connective graph according to 
the sequential segment collected. Compared with the available scheme, the 
victim needs not to determine which router is located before or after the other 
router(which may dominate the path reconstruction time), so the attack path 
reconstruction algorithm here is both robust and extremely quick to converge, 
especially in reconstructing multiple attack paths in DDoS attacks. 

2.3 Analysis 

The victim uses the edges marked in the attack packets to reconstruct the 
attack graph. The algorithm is depicted in Figure 1. It is noticed that the 
marking scheme is un-covered, which means that ifa packet is marked at router 
A. the followed routers must mark their IP addresses into the packet unless 
there is no space in the record route IP option. So the probability of receiving 
a sample is becoming smaller the further away it is from the victim. The time 
for the algorithm to converge is dominated by the time to receive a sample from 
the furthest router. Let L be the length ofthe attack path, p is the marking 
probability and N denotes the number of the IP address that record route IP 
option can contain, here it is 9. The expected number of marked packet needed 
to reconstruct the attack path is \L/Np]. Some research results’' '^' indicate 
that the distance between arbitrary two hosts in Internet would not exceed 30 
hops. If every marked packet carries 9 routers' address and no overlap of the 
path segment, 4 marked packets is enough to reconstruct the longest attack path 
in the Internet. 

2.4 Authenticated multi-edge marking algorithm 

A main disadvantage of the basic multi-edge marking scheme is that the 
packet markings are not authenticated. Consequendy, a compromised router 
on the attack paths could forge the markings by appending spoofed IP address or 
filling up the IP record option using spoofed IP addresses, preventing the victim 
fromdetermining the attack paths. To solve this problem, we need a mechanism 
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to authenticate the packet marking. A straightforward way to authenticate the 
marking ofthe packets is to have the router digitally sign the marking. However, 
digital signatures are very expensive to compute and have large space overhead. 
Here, we propose a much efficient technique to authenticate the packet marking. 
The technique only uses one cryptographic MAC (Message Authentication 
Code) computation per marking, which is much more efficient to compute(i.e., 
HMAC-MD5'®'^’ is three to four orders ofmagnitude more efficient than 1024- 
bit RSA signing) and can be adapted so it only requires the 16-bit overhead for 
storage. It is conjectured that it is computationally infeasible to produce two 
messages having the same message digest, or to produce any message having 
a given pre-specified target message digest. For the standard output of MD5 
is 128-bit message, it is modified to produce a 16-bit output. In order to avoid 
collision, the packet-specific information is necessary. Let ft/cdenote the MAC 
function using key K. If each router /Jj shares a unique secret key Ky with the 
victim, Hi can apply to its IP address and some packet-specific information, 
such as the S0UrCC(5/p) and dcstination(D/p) IP addresses in the packet, with 
ifj, i.e. ilj./P) to produce the authentication i^.aut/l. For 

each Ri.auth is 16-bit long, the IP route record option can contain 6 marking 
messages at most. 

The authenticated marking and attack path reconstruction algorithms are 
depicted in Figure 2. 

Marking procedure at router : 
for each packet w 
ifdeslination of tv is victim then 
if record route IP option is ON then 
if the record route number <6 then 

appertd Ri.lP into tv. record route IP option 
append hniiSip, Dip, Rt) into ui.record route IP oprtion 
endif 
else 

let z be a random number from [0.1] 

Ifz < p then 

set the record route IP option on 
append ft ./P into tv. record router IP option 
append hK.(Sip,Dip,IU) into tv.record route IP oprtion 
endif 
endif 
endif 

Path reconstruction procedure at victim v: 

let NodeTable be an empty diagonal matrix, which .element is of tuples nt(node, count) 
for each path segment( Ai , Rj, ■■■ , An, 1 < n < 6) of attack path in the attack packet 
for each router (Aj , Aj, • • • , An, 1 < n < 6) 
ifhKi(S/Pi Dip.R,) = Ai.au(/i then 
if Ai is not in the column then 
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add Hi into the diagonal matrix 
seint(R,-i,R,) and nt(i{., Ai+i) be (1, 1) 
else 

increase nt(Ai_i, Aj). count and nt(A,, A,^i). count by I 
endif 
endif 

draw the attack path according to the NodeTable established. If Rj).node = 1, Ri 
and Rj are connected directly. 



Pigvre 2. The authenticated mulci-edge marking and path reconstniction algorithms 



3. DDoS Scouter 

To keep in line with the above principles, DDoS Scouter is designed as a 
query-respond system. Only when the IDSs deployed in the victim's system 
detect that there exists DDoS attacks aimed at the victim, the network admin- 
istrator on receiving the marking requests asks the marking enabled routers to 
do IP marking. The enabled routers mark its IP address only into the specific 
packet(destined to the victim, the other packets destined to the other destination 
are not marked). The system involves the victim, intrusion detection system, 
network administrator or operator, IP marking and/or packet filtering enabled 
routers. All the communications among any components in the system must be 
authenticated to avoid being used by invalid users or attackers. 

Figure 3 shows the architecture ofthe system. The DDoS Scouter consists of 
four entities: victim. Intrusion Detection System(IDS), network administrator 
and marking and filtering enabled routers. 

The IDS responds to detect the DDoS attacks and sends DDoS attack alarm 
to the network administrators. When IDS detects that there exists DDoS attacks 
aimed at the victim host or network, it sends DDoS attack alarm to the victim’s 
network administrator with the victim identity and attack characteristics. There 
are many commercial available IDS systems^'*’^'’^^’^^' and also there are some 
research results on how to detect DDoS attacks”*’^''. 

The network administrator is responsible for controlling the routers to do 
IP marking and packet filtering. On receiving the DDoS attack alarm, the 
network administrator authenticates that the alarm is really sent by a valid 
IDS. Then, it sends IP marking instructions to the IP packet marking enabled 
routers to start to do IP marking. On receiving the attack paths information, 
the network administrator decides on which routers the packet filter should be 
launched to stop or dilute the DDoS attacks aimed at the victim and sends the 
fUtering instruct to the selected routers to do packet fUtering. The marking 
and/or filtering enabled routers are responsible for carrying out the marking 
and packet filtering functions. On receiving the mark instructions, the IP packet 
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Figure 3. The architecture of the DDoS Scouter 



marking enabled routers begin to mark its IP address into the packets destined 
to the victim. The packets routed to the other destinations are not marked. On 
receiving the filtering instructions, the routers filter the packets destined to the 
victim and forward the packets destined to the other destinations. 

Having received the marked packets, the victim collects the IP addresses 
of routers through which the packets are passed. Using the collected the IP 
addresses, the victim reconstructs the attack paths or sub-paths and sends the 
attack paths to the network administrator to do filtering. 

4. Simulation 

To test the performance of the multi-edge marking scheme, we conduct an 
experiment on SSFnet^'^', a well known network simulator system. In the 
simulation, the following three schemes are tested and compared: Compressed 
edge fragment sampling (CEFS), Un-covering Multi-Edge method (UME) and 
Random Multi-Edge method (RME). The first one is proposed in’^' and the last 
two are proposed in this paper. The difference between RME and UME lies in 
whether the marking procedure is random or not. In UME scheme, when the IP 
option is full, the following router’s IP address can not be marked. In the RME 
scheme, when the IP option is full, the very first router’s IP address is shifted 
out and the new router’s IP address is marked in. These schemes are tested in 
three scenarios: 
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■ SI: one attacker being 10 hops away from the victim. 

■ S2: one attacker being 24hops away from the victim. 

• S3: 261 hosts locating atdifferentplacesandattacking the victimthrough 
14 different paths, i.e. a Distributed DoS attack. 

Two criterias are used to make the comparison. The first one is the expected 
number of the packets required for path reconstruction. Table 2 shows the 
simulation results. It indicates that the multi-edge marking schemes needs 
much less packets than CEFS, especially for the DDoS attacks. For most 
flooding-style DoS attacks send many hundreds or thousands of packets per 
second, the victim can collect the enough packet in the moment. In addition, 
the marking enabled router need to perform the marking function in the short 
time slot. From the table, we observe that when the length of the attack path 
increases from 10 to 24, the increment ofpackets in UME is slight. It indicates 
that UME has good adaptability for the change ofthe distance. The second one 
is the time required for path reconstruction. The simulation results indicates 
that aU ofthe tests except for the CEFS in DDoS attack scenario, which takes 
more than one day to do the path reconstruction, can be completed within one 
second. 

Titble 2a. Number of packets needed to Thble 2b. Number of packets needed to 

reconstruct the attack path p s 0.05 reconstnict the attack path p s 0-1 





SI 


S2 


S3 




SI 


S2 


SJ 


CEFS 


2000 


3600 


56000 


CEFS 


1400 


5900 


75000 


UME 


40 


40 


800 


UME 


30 


40 


400 


RME 


60 


90 


2100 


RME 


70 


150 


2000 



5. Discussion 
5.1 Fragmentation 

It is indicated in'^' that the main drawback ofthe marking algorithm is over- 
head of the packet size increased by the marking, which can lead to the frag- 
mentation and bad interactions with services such as MTU discovery'll Note 
that the routersjust mark the packets destined to the victim, it does not affect the 
other packets in deed. Ifthe marking results in the fragmentation of the packet, 
it can be designed to fragment the packet properly that the packet will be not 
fragmented again later. Furthermore, the fragmented packet will not be marked 
except for the first segment of the packet. Some research results shows that 
more than 95 percent attack packets are small packet, such as TCPfSYNJiST), 
ICMP and so on. These kind ofpackets have enough space for multi-edge 
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5.2 Authentication 

In the DDoS Scouter system, there are two kinds of channels should be 
authenticated. The first one is the communications among the victim, the IDS, 
the network administrator and the marking enabled routers. The malicious users 
or attackers can send invalid marking request or filtering request to launch 
another type of DoS attacks. Any authentication and encryption mechanisms 
available can be deployed in the system. 

For the compromised routers could forge the markings according to the pre- 
cise probability distribution and preventing the victim from detecting and de- 
termining the compromised router by analyzing the marking distribution, the 
second one is to authenticate the marking information and has been considered 
in section 2.4. 

5.3 Cross-domains 

In DDoS Scouter, the network administrator acts as the controller to do 
marking and filtering on demand. Because there exists trust problem among 
different ISPs or ASs, the network administrator cannot send instructs to routers 
not belong to his domain. The attack paths reconstructed by victim is just the 
sub-attack paths. In order to reconstruct the full attack paths, the trust among 
different ISPs must be established. Based on the trust, the network administrator 
in the victim's domain sends the marking request and filtering request to the 
other ISPs network administrators. Thus, DDoS Scouter can trace back exactly 
to or near to the attackers or agents. A directly solution to this problem may be 
hierarchical mechanism. 

6. Conclusion 

To make the IP traceback more practical and efficient, multi-edge marking 
based scheme was proposed in the paper. According to the analysis and simula- 
tion, the scheme is much more efficient than the scheme available up to now. In 
addition, the authors proposed a DDoS Scouter system, which is an architecture 
or framework, to prevent the DDoS attacks. Coupled with the fact that attack 
mechanisms and tools continue to improve and evolve, more effective detect- 
and-filter approaches must be developed in addition to the use of ingress packet 
filtering and other existing defense mechanisms and procedures. In the next, 
for the multi-edge marking scheme, we are exploring some code techniques to 
decrease the space requirement of one IP address. Based on the architecture, 
we will introduce the intelligent filtering technique into the system and extend 
it to a global defense infrastructure to protect the entire Internet from DDoS 
attacks. 
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Abstract A coding transformation method, called Base91, is characterized by its output of 
91 printable ASCII characters. Base91 provides compatibility with the E-mails 
and increases the encoding efficiency of input enciphered E-mail's data or any 
input 8-bit data sequence. Its extension Base91+ has a higherencoding efficiency. 

Keywords: coding transformation, Base91, BaseSS, Base64, QP, encoding efficiency 

1. Background of Invention 

With the rapid development of Internet and its business application, E-mail 
and its security has become more and more important. SMTP (Simple Mail 
Transfer Protocol) is the basic electronic mail transfer protocol. All the SMTP- 
based E-mail encrypting system PGP (Pretty Good Privacy), PEM (Privacy En- 
hanced Mail), and MIME (Multipurpose Internet Mail Extensions) or S/MIME 
(secure MIME) can provide compatibihty with the E-mails. So-called com- 
patibility with the E-mails is to transform arbitrary 8-bit data byte-strings or 
arbitrary bit stream data transferred by the E-mail into a character-strings of 
a limited ASCII (American Standard Code for Information Interchange). The 
main limitation on the latter is that: (a) the characters have to be printable; (b) 
the characters are not control character or “-“(hyphen). There are totally 94 
of such ASCII characters, their corresponding digital coding being all integers 
ranging from 32 through 126 with the exception of 45. E-mails written in these 
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ASCII characters are compatible with the Internet standard SMTP, and can be 
transferred in nearly all the E-mail systems. Nowadays, to provide compatibil- 
ity with the E-mail, Base64 coding or QP (Quoted-Printable) coding is usually 
employed. 

Base64 coding divides the input message into blocks 6-bit long to be used 
as variable implementation mapping, the mapping is denoted by 

Base64[ ]: X -fY 

where the variable or original image set X includes all 64 6-bit long symbols ( 
denoted as integers 0, 1,..., 63) and representing “no data”; the image set Y 
includes the upper and lower cases of 26 alphabetic characters, Arabic digits 
ranging from 0 through 9, “/” and filling character where it is specified 

that in the non-program statements the Chinese quotation marks are used as the 
delimiter of characters or character-strings (the following is the same). Mapping 
rules commonly used in Base64 coding software are 

Base64[0]=“A”„ . . , Base64[25]=“Z”, 

Base64[26]=“a”,. . . , Base64[51]=“z”, 

Base64[52]=“0”„ . . , Base64[61]=“9”, 

Base64[62]=“-i-”, Base64t63]=“/” 

Particularly, Base64[$]=‘ — ” is used only when needed so as to make the total 
number of characters of output string equal to the multiples of 4, where $ being 
empty set. The coding efficiency ofBase64 coding is 6/8 = 75%. The data 
expansion rate is 8/6 = 4/3 = 133.33%. 

QP coding divides the input message into blocks 8-bit long to be used as 
variable implementation mapping, when the original image 8-bit data is non- 
“=” printable character, its image equal to the original image (i.e. there is 
no change); when the hexagonal notation of the original image 8-bit data is 
“LR" and the most significant bit is 1, its image is three printable characters 
■ -LR”; while the image of “=” is ‘ -3D”. Hence, in the worst case, the encoding 
efficiency ofQP transformation is 1/3 and the data expansion rate is 300%, (it 
is the case that Chinese language data employing coding GB2312 are being 
QP-transformed). 

Base85 coding transforms an input data of 16 bytes into an output data of 
20 printable ASCII characters, so the encoding efficiency ofBase85 is 16/20 
or 80%. But people only use Base85 in the representation of 128-bit address 
of IPv6 now. 

2. Contents of Invention 

The object of the present invention is to provide a digital data transformation 
method to replace Base64 coding or QP coding, so as to provide higher coding 
efficiency under the condition ofE-mail compatibility, to reduce the time re- 
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quirement for transferring coding messages over the network, or to save storage 
space when the data are stored using printable character mode. 

The present invention will be implemented by the following technical design: 
a coding transformation of arbitrary bit stream data into printable character 
sequence. The main idea is: to increase the bit length of the block mapping 
from the current 6 or 8 bits to 13 bits, and to use the double-character set of91 
printable ASCII characters as the image set for transformation. The fallowings 
are the Base91 coding designed for the present invention ( also denoted as 
Radix-91 coding, where Base91 and Radix-91 are two short names of “base 
number-91"). Then, Base91+ coding with a block of 27 bits is given as an 
extension ofBase91. 

2.1 Base91 Coding 

Base91 coding divides the input message into blocks 13-bit long to be used 
as variable implementation mapping, the mapping is denoted by 

Base91[]: X-+Y 

where the variable or original image set X includes all 8192 13-bit long sym- 
bols (denoted as integers 0,1,... ,8191) and, symbols ^=81 91-t-n (n»l,. . .,12), 
denoting that the n-bit data at the specified side of the last block are used as 
the filling data, thereby nuiking the total number of elements in the original 
image set equal to 8204; the image set Y is the sub-set of the direct product of 
R91 X R91, where the symbol R91 denotes the set of 91 characters selected from 
the 95 printable ASCII character set with “ - ”,“= " and space characters 

excluded, the direct product R91xR91 has 8281 elements. 

Base91 is defined as an injective mapping arbitrarily selected from X into 
the direct product R91xR91. The selection of any particular injective mapping 
asBase91 has no effect on the present invention. Forthe convenience of imple- 
mentation, assuming that R91_CH[91] is the character set that includes all R91 
characters and is arranged according to the ASCII sequential order, the present 
invention preferably selects the following mapping : 

Bose91[x) = (cftl.cW) = (1) 

where x€X, chl,ch2€R91, symbols “/" and are the operators used in the 
C language,representing integral division and modulo division (remainder) 
respectively. 

The operation of dividing the input message into 13-bit long blocks may 
produce the last block less than 13-bit long. For such blocks, n bits are added 
to the specified side to make it become a complete block for implementing 
mapping; and a block of data ^ is added thereafter as the input data imple- 
menting mapping so that it can be decided how many filling bits have to be 
deleted during decoding. When needed, double-character may be used 
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as a “terminating symbol” of the output character-string. Hence at most 92 
printable ASCII characters can appear in the output-string of Base91 coding. 

According to the coding rules of the above-mentioned Base91 coding, the 
number of extra added output data consisting of the filling bits, the image of 
the denoting symbols and the “terminating symbol" does not exceed 6 char- 
acters. Therefore, with the increase of the bit number or byte number of the 
input message, the coding efficiency of theBase91 approaches 81.25%, its data 
expansion rate approaches 123%. 

2.2 Base91-(- Coding 

Base91-(-coding divides the input message into blocks 27 -bit long to be used 
as variable implementation mapping, the mapping is denoted by 

Base91+[]: X-lY 

where the variable or original image set X includes all 134217728 27-bit long 
symbols (denoted as integers 0,1,. . ., 134217727) and symbols = 134217727 
+ n (n = I, . . .,26), denoting that the n-bit data at the specified side of the last 
block are used as the filling data, thereby making the total number of elements 
in the original image set equal to 134217754; the image set Y is the sub-set of 
the direct product of YOxYO, where the symbol YO is a sum set ofR91xR91 
and HZm[], which is a subset of GB2312 and with m elements, m = 3305. That 
is 

Y0= { R91 xR91 } U HZm[3305] 

N=8281+m= 11586, the number of YO, is called “extended base number”. 
> IXI = 134217754, that is, the direct product YOxYO has more elements 
than X. 

Base91-H is defined as an injective mapping arbitrarily selected from X into 
the direct product YOxYO. The selection of any particular injective mapping 
as Base91-h has no effect on the present invention. For the convenience of 
implementation, the present invention preferably selects the following mapping 

Base9l + [i] = (c/il,cft2,ch3, c/i4), x G X, (2) 

where, by the help of yl=x/N and y2=x% N, 
ifyl < 8281 

cM = mi.CH[yl/91],ch2 = R91.CH[yl%91] (3) 

ifyl > 8281 

chlch2 = HZm[yl - 8281] (4) 

ify2< 8281 

c/i3 = i?91.C'if[y2/91),c/i4 = R91.CH[y2%91] 



ify2>828l 



(5) 
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chZcM = HZm[y2~%2U] (6) 

The operation of dividing the input message into 27-bit long blocks may produce 
the last block less than 27-bit long. For such blocks, n bits are added to the 
specified side to make it become a complete block for implementing mapping; 
and a block of data is added thereafter as the input data implementing 
mapping so that it can be decided how many filling bits have to be deleted 
during decoding. 

Compared with the Base64 or QP coding, the Base91 (or Base91-h) has its 
advantage in encoding efficiency. The design features of the four kinds of 
coding transformation are shown in Table 1. 



Thblel. 



design features 


QP coding ' 

MSB of input j 

byte being 1 


Base64 

coding 


BaseOI ' 
coding 1 


BaseOl-t- 

coding 


number of bits of one input 
block 


8 


6 


13 


27 


number of elements of 
vari^le set X 


256 


64 


2‘-’+l2 


2'"’+2^ 


number of bits using by one 
image element 


24 


8 


16 


32 


number of characten in 
output 


17 


65 


91 


91+94 


encoding efficiency 


33.333% 


75% 


81.25% 


84.375% 


data expansion rate 






123% 


118.5% 


ratio of amount of coded data 
of same input message 


225 


' 100 


92.3 


88.89 


100 


UM 


41.03 


39.51 



3. Conclusion 

Base91 provides compatibility with the E-mails and increases the encoding 
efficiency of input enciphered E-mail’s data or any input 8-bit data sequence. 
Combined with Internet standards SMTP, MIME, S/MIME etc., Base91 encod- 
ing can reduce 7.7% of transmitted data required by Base64 encoding, and can 
reduce 58.97% of transmitted data required by QP encoding with MSB of every 
input byte being 1 as in the input data of Chinese GB2312, which is a subset 
of GBK. Its extension Base91-h has a higher encoding efficiency of 84.375%, 
which is high with 9.375 percent, than 75% ofBase64. Inotherwords, Base91+ 
encoding can reduce 11.11% of transmitted data required by Base64 encoding 
and can reduce 60.49% oftransmitted data required by QP encoding with MSB 
of every input byte being 1. 
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Abstract This paper analyzes the TMN protocol completely usingafonnal analysis method 

called the Running-Mode Analysis and uncovers a number of attacks on the TMN 
protocol. These attacks are classified according to the detailed forms and the 
different intentions ofthe intmder. Finally, combining with the known attacks, the 
authors deduce that the Running-Mode Analysis can analyze the TMN protocol 
effectively. 

Keywords: TMN protocol, model checking, cryptographic protocol, running-mode analysis 

1. Introduction 

TMN protocol [1] due to Tatebayashi, Matsuzaki and Newman concerns a 
mobile communications system. In order for two agents to set up a secure 
session, communicating over an open channel, they must first decide upon a 
cryptographic session key, which should be kept secret from all the eavesdrop- 
pers. The protocol is subject to a number of attacks. Two attacks are presented 
by Murphi in reference [2J. Reference [3] uncovers two attacks on TMN pro- 
tocol. Reference [4] analyzes completely the TMN protocol by using model 
checking tool FDR to uncover seven attacks on the original protocol and three 
attacks on the fixed attacks. 

We use a new formal analysis method called the Running-Mode method [5] 
to analyze the TMN protocol. Nineteen attacks in the small system are found. 
Combining with the known attacks, we notice that many attacks on the TMN 
protocol are similar. So there are repetitious attacks presented. In this paper, 
we classify these attacks combining with the secret aim of the protocol. 

Section 2 presents an introduction to the TMN protocol,and section 3 presents 
an analysis ofthe protocol by using the Running-Mode method. In section 4, the 
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attacks on the TMN protocol are classified into different kinds. A conclusion 
is drawn in section 5. 

2. The TMN protocol 

The TMN protocol concerns three principals: an initiator A, a responder B, 
and a server S who mediates between them as follows: 

Ml A-^ S -.B, 

M2 S-^B:A 
M3 B S -.A, 

M4 S A: B, {Nft}Na 

Here, A is an initiator, B is a responder, S is a server. Ks is the public key of 
the server. No and Nf, are the nonces of A and B. In order to establish the secret 
with B, A must send a message to S, and he must inform S communicating with 
B and send the nonce No encrypted by the S’ public key (message Ml). After 
receiving A's message, S contacts with B (message M2). Then B accepts the 
A's request and send iVj to S (message M3). S encrypts the nonces of and 
Nb and sends them to A. Finally A gets the shared secret (message M4). 
The protocol employs two sorts of encryption: 

Standard encryption: This uses an encryption function, which we shall write 
as E. Every initiator and responder know how to produce E(m) given message 
m, but only the server knows how to decrypt such a message to obtain the 
original message m. This encryption can be implemented using, for example, 
RSA. Message 1 and Message 3 use this encryption. 

Vemam encryption: The Vemam encryption of two keys, which we will write 
as K(Aj, ^ 2 ), is their bit-wise exclusive-or. Note that V'(fc|,/: 2 ))“fc 2 .so 
if an agent knows Xri.then he can decrypt V{ki,k 2 ) to obtain Message 4 
uses this encryption. 

3. Analysis of TMN protocol using Running-Mode 

3.1 Introduction to the Running-Mode method 

The basic method of model checking is to produce a model of a small system 
running the protocol, together with a model of the most general intruder who 
can interact with the protocol, and to use a state exploration tool to discover if 
the system can enter an insecure state, that is, whether there is an attack upon 
the protocol. An approach of Running-Mode analysis is deduced from some 
results for model checking ofsecurity protocols. Therefore, the basic approach 
ofRunning-Mode analysis is also to produce a model ofa small system running 
the protocol, together with a model ofthe most general intruder who can interact 
with the protocol, and to analyze all the possible running modes of this system. 
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In our system, the intruder is an unhonest principals: 

(1) Overhear and/or intercept any messages being passed in the system; 

(2) Decrypt messages that are encrypted with his public key so as to learn new 
nonces; 

(3) Introduce new messages into the system, using nonces he knows; 

(4) Replay any message he has seen (possibly changing plain-text parts), even 
ifhe does not understand the contents of the encrypted part. 

3.2 Analysis of the TMN protocol 

3.2.1 The model ofthe small system. We define a small system, which 
has an intruder. The system configuration is one initiator A, one responder B, 
one server S and one intruder /. 

The sets ofthe system are asfollows.Sdenotes the small system: S={1D, 
Key .Message}; ID={InitSet,RespSet,ServSet},ID denotes the set ofprincipals. 
The set of initiators is lnitSet“{A,/,/(/4),4} Here A is an honest initiator 
who can run the protocol precisely once; / is an intruder; 1(A) denotes that / 
impersonates A. ^denotes that there is not any principal. The set of responders 
is RespSet='{B,/, Here B is an honest responder who can run the 
protocol precisely once; / is an intruder; !{B) denotes that I impersonates B. 
The set of servers is ServSet={S, Here 5 is a trusty principal; I{S) 

denotes that / impersonates S. Key={Ai,/^iN6,M} denotes the set ofkeys 
and nonces. Message={Ml,M2,. . . ,Mn} denotes the set of messages. 

3.2.2 The modes of The TMN protocol. Model checker can automati- 
cally analyze the concurrent protocol runs. To verify that a protocol is correct, 
aU the possible runs must be checked. But the method ofthe Running-Mode 
can not analyze automatically like model checker and we must discuss the 
concurrent protocol runs before using it. 

When a protocol runs concurrently, it must satisfy the assumptions on the 
small system. Here the honest initiator A and the honest responder B can run 
the protocol precisely, they might lead to two runs of the protocol. Moreover 
the intruder / can run the protocol with the server by different impersonates. If 
the information is transmitted between the intruder and the impersonators, the 
intruder can not get the beneficial information. We can consider these runs as 
once. Therefore, we can make a conclusion that the concurrent three-principal 
cryptographic protocol runs is no more than three times. 

3.2.2.1 The modes when the TMN protocol runs only once. When the 
TMN protocol runs only once, the running mode is as follows: 

1.1 Xi -+Z: :Y,{Nxi)k, 

1.2Z2 -+Yi :X 

1.3 Yj -+Z3 :X,{Nk2}x, 
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1.4Z4 -^X2 ;Y.{Ny2}w*l 
Here. X,Xi.X2e{^,/./(>l).^}:Y.Yi.Y2€{B./, /(B), 
i = l,....4;Nxie{Na,Ni};Ny2 

3. 2.2.2 The modes when the TMN protocol runs concurrently. We know 
that the concurrent run ofthe protocol means that the protocol runs several times 
at a time, i.e. the protocol runs several times before the first run ends. 

(1) When the TMN protocol runs two times concurrently, the running mode 
is as follows£° 

\.IXi^Zi:Y,(Nc}ks 

1.2 Z2 Yi ;X 

1.3 Y2 Za : X,{N^}/f4 

1.4Z4-tX2:Y,{N^}jVa 
2.1X3->Z5:Y’,{No’}if4 

2.2 Ze Ys : X’ 

2.3 Y4-+Z7:X’,{N^’}/f, 

2.4Zs-^X4 :Y’,{N^’}^^. 

Here, X, X’, X< £ {A , /. 1(A ), $}. t = 1, . . . , 4; Y, Y’, Y* £ {B, 1, 7(B), 

$}, t = 1, . . . , 4; Zj € {S, I(S), $}. j = 1, . . . , 8; N«, £ {N„. H}; N^3. 

e {Nft. Ni} . 

In the small system, the honest principals A and B can run the protocol only 
once. Therefore, the variables must be satisfied with the following conditions: 
Xi®X2 =A,Xa®X4 5 ^ A;Yi©Y 2 =B,Ys(g)Y4 5^ B; 

X3©X4 = A,Xi0X2 A; y3®Y4 = B,Yi(g>Y2 B. 

Here the symbol 0 denotes OR, denotes AND. 

(2) When the TMN protocol run three times concurrently, the mode is as 

follows£* 

l.lX,-tZi :Y,{Na)if, 

1.2 Z2-+Y1 :X 

1.3 Y2-^Z3 :X,{N^}k4 

1.4 Z4-»X2 :Y,{N^)/^a 

2.1 Xa-tZs :Y’,{Na’}7f.- 

2.2 Z«-»Y3 :X’ 

2.3 Y4-4Z7 :X’,{Na’}A-4 
2.4Ze-tX4 :Y’,{N^’}/v^> 

3.1 Xa-^Zg :Y*’,{Na”}K4 

3.2 Z,o-^Ys ;X” 

3,3Y6-»Zu ;X”.{N^”)/r4 
3.4Zi2^Xe :Y”,{N^”};^^«. 

Here, X,X*,X”,Xie{A,7.7(A),$}.i=l,. . . ,6; Y.Y\Y”.Y4£{B,/,/(B),$}, 
i=l„. . ,6; Zy£{B,7(B),$}J=l,. . . ,12; N„.N«’,Na”e{fV„,Afi }; 
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The variables must be satisfied with the following Conditions£'’ 

Xl®X2 = /l,X3®X4®X5®X6 7^ A\ 

Yi®Y2 = S,Y3®Y4®Y60Y6 ^ B\ 

X3®X4 = X,Xi(g)X2®X50X6 ^ A-, 

Y30Y4 = B.Yi®Y2®Y5®Y6 5^ B-, 

Xs0X6 = A,Xi®X2®X3®Xi ^ A\ 

Ys©Y 6 = B,Yi(g|Y2®Y3®Y4 B. 

Then the Running-Mode of the protocol is to give the different values to the 
different variables, now we can list all the running modes of the TMN protocol. 

3.3 Reduction of the number of the running modes 

When using the Running-Mode method to analyze some protocols, we obtain 
all the possible running modes by giving the different values to the different 
variables and then analyze the modes to find out whether there exits any attack. 
In order to reduce the work by hand, we can reduce some impossible modes by 
the following rules: 

(1) Ifthe value ofthe messages’ sender or receiver in the protocol is $,this 
message is invahd and we do not need to consider this instance; 

(2) If the secret information in the message does not match the identity of its 
sender, for example, the honest principal A or B sending the nonce we do 
not need to consider this instance because it is impossible in the real run ofthe 
protocol; 

(3) If all the participants in the protocol are honest principals, the protocol 
runs normally and does not lead to any attack, we do not need to consider this 
instance; 

(4) If both the initiator and the responder are the different impersonates of 
the intruder, which means that the information transfers between the different 
identities of the intruder and does not lead to any attack, we do not need to 
consider this instance; 

(5) In the concurrent runs ofthe protocol, if every run has not any impact on 
the other, i.e. in every run ofthe protocol the information transferred in other 
runs is not used, something hke the independent run, we do not need to analyze 
this instance. 

4. Attacks on the TMN protocol 

4.1 The attacks when the protocol runs only once 

When we replace all the variables with all the possible values in the only one 
run of the TMN protocol, we uncover six attacks. 

(l)X,=X2=X=A.Yi=Y2 = I{B),Y=B,Zi = 5(i=1.....4),Nxi = Na, 

Ny2 = Nil 
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(2) X,=X2=X=/1,Y,=Y=F,Y2 = = 5(i=l,. . . ,4),Nxi = 

Nk 2 = A'i; 

(3) Xj=X 2 =/(^),X=A,Yi=Y2=Y=B,Zi = S(i=l,...,4),Nxi = 

Nya = iVb; 

(4) Xi=X=>1.X2 = /(4),Yi= Y2 = /(B),Y=B,Zi = 5(i=l„ . .,4), 

Nxi = Na, Ny2 = Ni\ 

(5) Xi=X=>1,X2 = /(/1),Yi=Y=B,Y2 = = S(i=l,. . . .4), 

Nxi = ■^o.Ny2 = ^i> 

(6) X,=X2=Zi=Z4=$,XM,Yi=Y2 = B,Y=4»,Z2=Z3 = I{S}, 

Ny2 = A^6,Nxi=anything. 

In both attack 1 [2] and attack 2 [3], the intruder / sends his nonce to 
deceive A by impersonating the responder B. thus making A think that he has 
a shared secret information with B. but / decrypts the Vemam function to get 
the secret information N^. In fact, both attacks reach the same goal by the 
stay-in-mid attack, then we classify these two into the first kind of attack. 

In attack 3 [2], the intruder /gels the secret information by impersonating 
the initiator A and deceives the honest responder B. although it is also the stay- 
in-mid attack, the goal is different from that ofthe first kind of attack, then we 
classify it into the second kind. 

In attacks 4 and 5, the intruder impersonates both A and B to take part in the 
run of the protocol and he gets the secret information Then the intruder can 

use this secret information to make the attack in the other run ofthe protocol, 
so we classify them into the third kind. 

In attack 6 [2], the intruder deceives the honest responder B by impersonating 
the server S, the intruder achieves this goal because oftheflaw that the protocol 
does not verify the identity of the initiator A. Although the main goal of the 
TMN protocol is not to verify the identities ofthe communicators, our method 
still canfindthis leak ofthis protocol, then we classify this attack into the fourth 
kind. 

4,2 The attacks when the protocol runs concurrently 

When the protocol runs concurrently, we place the possible values to the 
variables in the running modes and use our remove rules in section 3.3 to 
reduce the impossible modes, then we obtain the following attacks: 

(1) Y,=Y2=Z2=Z3=X=$,Z5=Z6»Zr=Z8 = S,Z,=Z, = I{S ) . 

Na=Na’=^a,N(3=N^’=M,Xl■=X2 = /1,X3=X4=X’=/,Y3=Y4 = 1{B), 
Y=Y’=B; 

(2) Yi=Y2=22=Z3=X=^,Zs=Z 6=Z7=Z8 = 5,Zi=Z4 = I(S), 
Na=Na’=A^a,N^=N^’=M,Xi=X2=X’M,X3=X4 = 1(A), 

Y3“Yi = /(B),Y=Y’=B; 
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(3) Yi=Y2=Z2=Z3=X=$,Z5=Z6=Z7=Z0 = 5^,=Z4 = I{S), 
N«.=Na’=iVa,N^=N^’=A^,Xi=X2=X’=4l^3=X4 = 1(A), 
Y^”Y4“Y*“X Y'"5* 

(4) Y,=Y2=Z2=i-X=$,Zs=Z6=Z7=Z8 = 5 ,Zi=Z4 = I{$), 

No=No’=iVa,N/j=N^’=iV<,Xi»X2 = yl.X3=X4=X’=Y3=Y4=Y’=/, 
Y-S; 

(5) X3=X4=Z5=Z8=Y’=$.Z,=Z2=Z3=Z4 = S.Zfi-Zz = I(S), 
Na=Na’=Wi.N3»N^’=Ni.Xi=X2 = /(/1 ),X=X’=A,Yi=Y2 = 1(B), 

Y3=Y4=Y=5; 

(6) X3=X4=Z5=Z8=Y*=$.Z,=Z2=Z3=Z4 = 5,Ze=Z7 = I(S), 
Na“Na’*JVj,N^=N^’=JV8,Xi=X2 = /{-4).X=X’M,Y,=Y2=Y=/. 
Y3=Y4 = B-, 

(7) X3=X4=Z5=Z8=Y’=4>.Zi=Z2=Z3=Z4 = 5Z6“Z7 = I(S), 
Nc.»No’*Afi,N^=N^’=^6.Xi=X2=X=/,X’M,Yj=Y2 = 1(B), 

Y "^Y^” 

(8) X3=X4=Z5=Z8=Y’=$.Z,=Z2=Z3=Z4 = 5,Ze=Z7 = 1(S), 
No=No’=JVi,N^=Na’=lV8,Xi=X2=X=Yi*Y2*Y=/^’=4 
Yj“Y4 = B; 

(9) Z,=Z2=Z3=Z4=Z5«Z6=Z7 = S^8=X4=«. 
X,=X2“X=Y,=Y2=Y=/.X3=X’=>I.Y3=Y4=Y’=B, 

No = Ni,No’=Na,H0=i^0'=Nb; 

(10) Zt=Z2=Z3=Z4=Z5=Z6=Z7=Z8 = S,Xi=X2=X=A, 
X3=X4=X’=/,Yi=Y 2=Y=Y’=B,Y3=Y4 = /(B).No = 

(11) Zi=Z2=Z3=Z4=Z5=Z6=Z7=Z8 = 5.Xi=X2=X=X’=A, 

X3=X4 = /(4),Y,=Y2=Y=B,Y3=Y4=Y’=/,N„=N«’=JV«, 

= JV8J4f,'=JVi; 

(12) Zi*Z2=Z3=Z4=Zs=Z 6=Z7=Z8 = S.Xi=X2 = 7(yl), 
X3=X4 =X=X’=X.Yi=Y 2=Y=Y’=B,Y3=Y4 = /(B).Na = Ni. 
Na’=JVa,N5=N^’=^■ft; 

(13) Y,=Y2*Z2=Z3=X=$.Zs=Zfl=Z7=Ze = 5,Zi=Z4 = I(S), 
No=Na’=Wa,N^=Nfl’=iV8,Xi=X2 = ^,X3=X4=X’=/, 
Ya=Y4=Y=Y’=B. 

Now we analyze the attacks in the concurrent run of the protocol. 
Attack 1 : the first run of the protocol 

now begins the second run of the protocol 

2.1 / S:B,{JVo}k, 

2.2 5 -> I(B):I 

2.3 J(B) S:I,(Ni}K3 

2.4 5 /:B,(Ni)y„ 

the first run continues 
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1.4 /( 5 ) ^ 

In the first run of the protocol, / eavesdrops message 1 . 1 sent from A to the 
server S in the first step. Because / does not know the private key ofthe server 
S, he can not decrypt this information. Then in the second step, the intruder / 
runs another run ofthe protocol by its own identity, he sends message 2. 1 to the 
server S to make commutation with B and replays message 1.1 (eavesdropped 
before) to S, then he intercepts and captures message 2.2 sent from S to 6 by 
impersonating B, at the same time, he sends its nonce ^ to 5 (message 2.3). 
At the end ofthe second run ofthe protocol, / can get N^. Finally, / replays 
message 2.4 to A by impersonating S and makes A think that he has the session 
key Ni shared with B (message 1.4), but in fact, this key is the shared key 
between A and /. 

The scenarios ofthe attacks 2,3 and 4 are almost the same as attack 1, the 
essence of them is that the intruder replays message 1.1 by having the second 
run ofthe protocol, and he decrypts the secret information to get transferred 
in the first run by impersonating different identities, then / replays message 2.4 
by impersonating the server, which makes A think that he has get the shared 
key with B but A is deceived. In a word, these attacks obtain secret message 
and deceive A by replay attack, then we classify them into the fifth kind of 
attack. 

The essence ofthe attacks 5, 6, 7 [2] and 8 [4] is that in the first run ofthe 
protocol, theintrudertakespart in the run by different identities. After message 
1.2, / has the second run of the protocol by impersonating the server S and 
deceives B to send a shared key Nf, with A. Then the first run ofthe protocol 
continues and the intrader replays the message 2.3(from the second run) and he 
can get Nf,. In a word, these attacks get the secret information and deceive 

B by replay attack, then we classify them into the sixth kind of attack. 

Attack 9 [3] and attack 10 [2] belong to the same kind. Because in these 
attacks, the intruder listens in the messages in the formal run of the protocol, 
and he requests the server to have communication with himself or B by his own 
identity in the second run of the protocol (if he wants to have communication 
with B. he intercepts and captures the messages sent from S to B ; if he wants 
to have communication with himself, he replays message 1.3 directly. )Finally, 
the intruder can get Nf, , but he does not deceive any honest participant. Then 
we classify them into the seventh kind of attack. 

In attack 1 1 [2], the intruder listens in the messages in the formal run of the 
protocol, then he requests the server to have communication with himself by 
impersonating /I and replays message 1.1, fmally, /gets Na^ Then we classify 
this attack to the eighth kind of attack. 

In attack 12 [2], the intruder puts the two attacks in the independent runs 
of the protocol together and forms the new attack. The intruder can get in 
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the first run of the protocol and use Nf, to get Na in the second run. Then we 
classify this attack into the ninth kind of attack. 

In attack 13, the intruder receives message 1.1 from A by impersonating S, 
then / begins the second run ofthe protocol. In message 2.1, the intruder replays 
message 1.1, but he can not decrypt message 2.4 because he does not know the 
secret information iVa in this message, then he can only replay message 2.4 in 
the message 1.4 and make A think that he has established the shared key with 
B, then A is deceived. This attack uncovers the leak in verifying the identity 
of B, and we classify it into the tenth kind of attack. 

By now, we have not uncovered any attack in the TMN when it runs three 
times concunently. However, we have made a complete analysis ofthe TMN 
protocol using our Running-Mode method and uncovered nineteen attacks 
which are classified info ten kinds. 

5. Conclusion 

We have analyzed the TMN protocol using the Running-Mode method and 
got nineteen attacks on the TMN protocol. In our small system, we assure 
that our analysis is complete. This method can not only verify the result of 
model checking, but also uncover new attacks or weakness. Therefore, the 
Running-Mode method is an effective method of the cryptographic protocol 
analysis. 
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